Silberman-Butler RAIDE内部设计文档.pptVIP

RAIDE: Rootkit Analysis Identification Elimination Who Are We? Peter Silberman Undergraduate College Student (*yuck*) Independent Security Research Author of FUTo, (soon to be released PAIMEIdiff) Contributor to http://www.openRCE.org (VISIT THE SITE) Jamie Butler Currently Un-Employed…. ? Software attestation Rootkit detection Author of Rootkits: Subverting the Windows Kernel Co-author of Shadow Walker proof-of-concept memory subversion rootkit Pioneer of Direct Kernel Object Manipulation (DKOM) Agenda What is going to be covered? Quick Review: Define Rootkits Hooks Userland Hooks: Import Address Table (IAT) Export Address Table (EAT) Kernel Hooks: KeServiceDescriptorTable Inline Hooks Entry (Index) Overwrite I/O Request Packet (IRP) Interrupt Descriptor Table Model Specific Registers (MSR) Process Hiding: Old School DKOM (FU) New School FUTo Previous Detection Techniques RAIDE Demo What is a Rootkit? Definition might include a set of programs which patch and Trojan existing execution paths within the system Hooks or Modifies existing execution paths of important operating system functions The key point of a rootkit is stealth our definition includes they must make an attempt to hide some action. Rootkits that do not hide themselves are not then using stealth methods and will be visible to administrative or forensic tools (i.e. DeviceTree from OSR) shows all non-hidden drivers. Userland Hooks IAT hooks Hooking code must run in or alter the address space of the target process If you try to patch a shared DLL such as KERNEL32.DLL or NTDLL.DLL, you will get a private copy of the DLL. Three documented ways to gain execution in the target address space CreateRemoteThread Globally hooking Windows messages Using the Registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs EAT Hooks User mode DLL’s and Kernel drivers both export functions Export Address Table is a table of pointers to functions within a module that are callable