Hidden Processes The Implication for Intrusion Detection隐藏进程的含义用于入侵检测.pptVIP

VICE – Catch the hookers!(Plus new rootkit techniques) Jamie Butler Greg Hoglund Agenda Introduction to Rootkits Where to Hook VICE detection Direct Kernel Object Manipulation (DKOM) No hooking required! Demonstration of FU rootkit Operating System Design User Land Operating system provides common API for developers to use Kernel32.dll Ntdll.dll Kernel Mode The low level kernel functions that implement the services needed in user land Protected memory containing objects such as those for processes, tokens, ports, etc. Attack Scenario Attacker gains elevated access to computer system Attacker