Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

1. Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik(TDL4) Александр Матросов Евгений Родионов

4. Этапы установки на x86/x64

5. Буткити обход проверки подписи

6. Отладка буткита наэмуляторе Bochs

7. Хуки в режиме ядра

8. Отладка с использованием WinDbg

9. Файловая система TDL4

11. Evolution of rootkits functionality x86 x64 Dropper Rootkit Rootkit Rootkit bypass HIPS and AV self-defense self-defense privilege escalation Surviving reboot surviving reboot bypass signature check install rootkit driver injecting payload bypass MS PatchGuard injecting payload Kernel mode User mode

13. It is difficult to load unsigned kernel-mode driver

14. Kernel-Mode Patch Protection (Patch Guard):

15. SSDT (System Service Dispatch Table)

16. IDT (Interrupt Descriptor Table)

17. GDT ( Global Descriptor Table)

19. Evolution of TDL rootkits

20. Installation x86/x64

22. Installation stages exploit payload dropper rootkit

23. Dropper layouts

24. Dropped modules

25. Installation x86

26. Installation x64

27. Bootkit and bypassing driver signature check

29. Kernel-Mode Code Signing Policy

31. Boot process of Windows OS

32. Code integrity check

33. Boot Configuration Data (BCD)

34. BCD Example

35. BCD Elements controlling KMCSP (before KB2506014)

37. Switch off kernel-mode code signing checks by altering BCD data:

38. abuse WinPeMode

39. disable signing check

41. Abusing Win PE mode: workflow

44. Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity MS10-015 kill TDL3

45. Debugging bootkit with Bochs

46. Bochs support starting from IDA 5.5

47. DEMO

48. Kernel-mode hooks

49. Stealing Miniport Driver Object Before Infection After Infection

50. Stealing Miniport Device Object

52. IOCTL_ATA_PASS_THROUGH_DIRECT

53. IOCTL_ATA_PASS_THROUGH;

54. IRP_MJ_INTERNAL_DEVICE_CONTROL

55. To protect:

56. Infected MBR;

58. WinDbg and kdcom.dll WinDbg KDCOM.DLL NTOSKRNL KdDebuggerInitialize RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK

59. TDL4 and kdcom.dll original call fake call

60. TDL4 and kdcom.dll original export table fake export table

61. DEMO

62. kd> !object evicearddisk0 Object: e1022d10 Type: (8a5e54f0) Directory ObjectHeader: e1022cf8 (old version) HandleCount: 1 PointerCount: 8 Directory Object: e10116f0 Name: Harddisk0 Hash Address Type Name ---- ------- ---- ---- 21 8a5c9ab8 Device DR0 24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1 33 e101abe8 SymbolicLink Partition0 8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2 34 e1011258 SymbolicLink Partition1 35 e101a078 SymbolicLink Partition2

63. kd> !devobj evicearddisk0R0 Device object (8a5c9ab8) is for: DR0 riverisk DriverObject 8a5cd730 Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050 Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98 ExtensionFlags (0000000000) AttachedDevice (Upper) 8a5c9890 riverartMgr AttachedTo (Lower) 89fd902889fd9028: is not a device object

64. kd> !devstack8a5c9ab8 !DevObj !DrvObj !DevExtObjectName 8a5c9890 riverartMgr 8a5c9948 > 8a5c9ab8 riverisk 8a5c9b70 DR0 Invalid type for DeviceObject 0x89fd9028

65. kd> dt _DEVICE_OBJECT 0x89fd9028 ntdll!_DEVICE_OBJECT +0x000 Type : 0n0 +0x002 Size : 0xfb8 +0x004 ReferenceCount : 0n0 +0x008 DriverObject : 0x899574f0_DRIVER_OBJECT +0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT +0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x5050 +0x020 Characteristics : 0x100 +0x024 Vpb : (null) +0x028 DeviceExtension : 0x89fd90e0 Void +0x02c DeviceType : 7

66. kd> !drvobj0x899574f0 Driver object (899574f0) is for: 899574f0: is not a driver object

67. TDL hidden file system

69. Encrypted contents (stream cipher: RC4, XOR-ing)

70. Implemented as a hidden volume in the system

72. TDL4 Device Stack

73. TDL4 File System Layout

74. TdlFsReader, how forensic tool

75. TdlFsReader, how forensic tool

76. TdlFsReader architecture TdlFileReader TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader

77. TdlFsReader architecture TdlFsRecognizer TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader

78. DEMO

80. Questions

81. Thank you for your attention ;) AleksandrMatrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius

83. Скачать crackmephd.esetnod32.ru

84. Прислать ключи и краткое описание процесса прохождения на email:phd@esetnod32.ru

85. Получить призы:Amazon Kindle DX Amazon Kindle 3 Wi-Fi ESET Smart Security (3 года)

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (10)

Ähnlich wie Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

Ähnlich wie Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4 (20)

Mehr von Positive Hack Days

Mehr von Positive Hack Days (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4

Hinweis der Redaktion