安全协议与标准讲义.ppt

Sony, Gone Too Far “Sony, Rootkits and Digital Rights Management Gone Too Far” Mark Russinovich Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: … RegMon This monitoring tool lets you see all Registry activity in real-time. TCPView Active socket command-line viewer. netstat.exe PsFile See what files are opened remotely. Process Monitor Monitor file system, Registry, process, thread and DLL activity in real-time. Process Explorer Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process. ListDLLs List all the DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 prints the full path names of loaded modules. PsList Show information about processes and threads. tasklist / taskkill Autoruns See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings. Handle This handy command-line utility will show you what files are open by which processes, and much more. RootkitRevealer Scan your system for rootkit-based malware EFSDump View information for encrypted files. SDelete Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure