Suche senden
Hochladen
Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
•
Als PPTX, PDF herunterladen
•
0 gefällt mir
•
1,058 views
Alex Matrosov
Folgen
Technologie
Melden
Teilen
Melden
Teilen
1 von 60
Jetzt herunterladen
Empfohlen
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
GangSeok Lee
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
Code Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
Genode Compositions
Genode Compositions
Vasily Sartakov
Empfohlen
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
GangSeok Lee
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
Code Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
Genode Compositions
Genode Compositions
Vasily Sartakov
Genode Components
Genode Components
Vasily Sartakov
Genode Architecture
Genode Architecture
Vasily Sartakov
Hta w22
Hta w22
SelectedPresentations
Sysdig Open Source Intro
Sysdig Open Source Intro
Michael Ducy
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
Native code in Android applications
Native code in Android applications
Dmitry Matyukhin
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
Paris Android User Group
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
Mem forensic
Mem forensic
Chong-Kuan Chen
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
Tetsuyuki Kobayashi
Android ndk
Android ndk
Khiem-Kim Ho Xuan
Android JNI
Android JNI
Siva Ramakrishna kv
Malware analysis using volatility
Malware analysis using volatility
Yashashree Gund
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Xavier Hallade
Technical Report Vawtrak v2
Technical Report Vawtrak v2
Blueliv
Introduction to the Android NDK
Introduction to the Android NDK
BeMyApp
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
christ1an
Mach-O Internals
Mach-O Internals
Anthony Shoumikhin
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
Повседневный С++: алгоритмы и итераторы
Повседневный С++: алгоритмы и итераторы
corehard_by
Festi botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
Weitere ähnliche Inhalte
Was ist angesagt?
Genode Components
Genode Components
Vasily Sartakov
Genode Architecture
Genode Architecture
Vasily Sartakov
Hta w22
Hta w22
SelectedPresentations
Sysdig Open Source Intro
Sysdig Open Source Intro
Michael Ducy
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
Native code in Android applications
Native code in Android applications
Dmitry Matyukhin
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
Paris Android User Group
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
Mem forensic
Mem forensic
Chong-Kuan Chen
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
Tetsuyuki Kobayashi
Android ndk
Android ndk
Khiem-Kim Ho Xuan
Android JNI
Android JNI
Siva Ramakrishna kv
Malware analysis using volatility
Malware analysis using volatility
Yashashree Gund
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Xavier Hallade
Technical Report Vawtrak v2
Technical Report Vawtrak v2
Blueliv
Introduction to the Android NDK
Introduction to the Android NDK
BeMyApp
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
christ1an
Mach-O Internals
Mach-O Internals
Anthony Shoumikhin
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
Was ist angesagt?
(20)
Genode Components
Genode Components
Genode Architecture
Genode Architecture
Hta w22
Hta w22
Sysdig Open Source Intro
Sysdig Open Source Intro
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
Native code in Android applications
Native code in Android applications
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Mem forensic
Mem forensic
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
Android ndk
Android ndk
Android JNI
Android JNI
Malware analysis using volatility
Malware analysis using volatility
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Technical Report Vawtrak v2
Technical Report Vawtrak v2
Introduction to the Android NDK
Introduction to the Android NDK
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
Mach-O Internals
Mach-O Internals
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Andere mochten auch
Повседневный С++: алгоритмы и итераторы
Повседневный С++: алгоритмы и итераторы
corehard_by
Festi botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
42054960
42054960
andres castillo
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
Bootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Aleksey Lukatskiy
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
Andere mochten auch
(19)
Повседневный С++: алгоритмы и итераторы
Повседневный С++: алгоритмы и итераторы
Festi botnet analysis and investigation
Festi botnet analysis and investigation
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
42054960
42054960
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Bootkits: past, present & future
Bootkits: past, present & future
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
Ähnlich wie Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
Stability issues of user space
Stability issues of user space
晓东 杜
Reverse eningeering
Reverse eningeering
Kent Huang
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Tzung-Bi Shih
A New Framework for Detection
A New Framework for Detection
Sourcefire VRT
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
GangSeok Lee
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
BPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JSFestUA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
Windows内核技术介绍
Windows内核技术介绍
jeffz
Android Development Tools
Android Development Tools
Dominik Helleberg
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
Peter Griffin
Linux boot-time
Linux boot-time
Andrea Righi
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dmitry Vostokov
Dx diag
Dx diag
Mukilan Thirunavukkarasu
Ähnlich wie Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
(20)
Stability issues of user space
Stability issues of user space
Reverse eningeering
Reverse eningeering
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
A New Framework for Detection
A New Framework for Detection
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
BPF: Tracing and more
BPF: Tracing and more
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Windows内核技术介绍
Windows内核技术介绍
Android Development Tools
Android Development Tools
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
Linux boot-time
Linux boot-time
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dx diag
Dx diag
Kürzlich hochgeladen
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
LoriGlavin3
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
LoriGlavin3
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
Hiroshi SHIBATA
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
Rick Flair
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
HarshalMandlekar2
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Sanjay Willie
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
panagenda
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Curtis Poe
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
LoriGlavin3
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
LoriGlavin3
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
Nathaniel Shimoni
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Scott Andery
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
IES VE
2024 April Patch Tuesday
2024 April Patch Tuesday
Ivanti
Kürzlich hochgeladen
(20)
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
2024 April Patch Tuesday
2024 April Patch Tuesday
Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
1.
Проведение криминалистической экспертизы
и анализа руткит-программ на примере Win32/Olmarik(TDL4) Александр Матросов Евгений Родионов
2.
3.
4.
Этапы установки на
x86/x64
5.
Буткити обход проверки
подписи
6.
Отладка буткита наэмуляторе
Bochs
7.
Хуки в режиме
ядра
8.
Отладка с
использованием WinDbg
9.
Файловая система TDL4
10.
11.
Evolution of
rootkits functionality x86 x64 Dropper Rootkit Rootkit Rootkit bypass HIPS and AV self-defense self-defense privilege escalation Surviving reboot surviving reboot bypass signature check install rootkit driver injecting payload bypass MS PatchGuard injecting payload Kernel mode User mode
12.
13.
It is difficult
to load unsigned kernel-mode driver
14.
Kernel-Mode Patch Protection
(Patch Guard):
15.
SSDT (System
Service Dispatch Table)
16.
IDT (Interrupt
Descriptor Table)
17.
GDT (
Global Descriptor Table)
18.
19.
Evolution of
TDL rootkits
20.
Installation x86/x64
21.
22.
Installation stages exploit
payload dropper rootkit
23.
Dropper layouts
24.
Dropped modules
25.
Installation x86
26.
Installation x64
27.
Bootkit and bypassing
driver signature check
28.
29.
Kernel-Mode Code
Signing Policy
30.
31.
Boot process of
Windows OS
32.
Code integrity check
33.
Boot Configuration Data
(BCD)
34.
BCD Example
35.
BCD Elements controlling
KMCSP (before KB2506014)
36.
37.
Switch off
kernel-mode code signing checks by altering BCD data:
38.
abuse WinPeMode
39.
disable signing
check
40.
41.
Abusing Win PE
mode: workflow
42.
43.
44.
Bypassing KMCSP: Result
Bootmgr fails to verify OS loader’s integrity MS10-015 kill TDL3
45.
Debugging bootkit with
Bochs
46.
Bochs support starting
from IDA 5.5
47.
DEMO
48.
Kernel-mode hooks
49.
Stealing Miniport Driver
Object Before Infection After Infection
50.
Stealing Miniport Device
Object
51.
52.
IOCTL_ATA_PASS_THROUGH_DIRECT
53.
IOCTL_ATA_PASS_THROUGH;
54.
IRP_MJ_INTERNAL_DEVICE_CONTROL
55.
To protect:
56.
Infected MBR;
57.
58.
WinDbg and kdcom.dll
WinDbg KDCOM.DLL NTOSKRNL KdDebuggerInitialize RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
59.
TDL4 and kdcom.dll
original call fake call
60.
TDL4 and kdcom.dll
original export table fake export table
61.
DEMO
62.
kd> !object evicearddisk0
Object: e1022d10 Type: (8a5e54f0) Directory ObjectHeader: e1022cf8 (old version) HandleCount: 1 PointerCount: 8 Directory Object: e10116f0 Name: Harddisk0 Hash Address Type Name ---- ------- ---- ---- 21 8a5c9ab8 Device DR0 24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1 33 e101abe8 SymbolicLink Partition0 8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2 34 e1011258 SymbolicLink Partition1 35 e101a078 SymbolicLink Partition2
63.
kd> !devobj evicearddisk0R0
Device object (8a5c9ab8) is for: DR0 riverisk DriverObject 8a5cd730 Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050 Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98 ExtensionFlags (0000000000) AttachedDevice (Upper) 8a5c9890 riverartMgr AttachedTo (Lower) 89fd902889fd9028: is not a device object
64.
kd> !devstack8a5c9ab8
!DevObj !DrvObj !DevExtObjectName 8a5c9890 riverartMgr 8a5c9948 > 8a5c9ab8 riverisk 8a5c9b70 DR0 Invalid type for DeviceObject 0x89fd9028
65.
kd> dt _DEVICE_OBJECT
0x89fd9028 ntdll!_DEVICE_OBJECT +0x000 Type : 0n0 +0x002 Size : 0xfb8 +0x004 ReferenceCount : 0n0 +0x008 DriverObject : 0x899574f0_DRIVER_OBJECT +0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT +0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x5050 +0x020 Characteristics : 0x100 +0x024 Vpb : (null) +0x028 DeviceExtension : 0x89fd90e0 Void +0x02c DeviceType : 7
66.
kd> !drvobj0x899574f0
Driver object (899574f0) is for: 899574f0: is not a driver object
67.
TDL hidden file
system
68.
69.
Encrypted contents
(stream cipher: RC4, XOR-ing)
70.
Implemented as
a hidden volume in the system
71.
72.
TDL4 Device Stack
73.
TDL4 File System
Layout
74.
TdlFsReader, how forensic
tool
75.
TdlFsReader, how forensic
tool
76.
TdlFsReader architecture TdlFileReader
TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
77.
TdlFsReader architecture TdlFsRecognizer
TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
78.
DEMO
79.
80.
Questions
81.
Thank you for
your attention ;) AleksandrMatrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius
82.
83.
Скачать crackmephd.esetnod32.ru
84.
Прислать ключи и
краткое описание процесса прохождения на email:phd@esetnod32.ru
85.
Получить призы:Amazon Kindle
DX Amazon Kindle 3 Wi-Fi ESET Smart Security (3 года)
Hinweis der Redaktion
Stores boot loader parametersWas introduced for the first time in Windows Vista as a replacement of boot.ini file to conform with UEFI specificationHas the same physical layout as registry hive
Jetzt herunterladen