Rootkit????????????

About This Presentation

Title:

Rootkit????????????

Description:

Title: Rootkit Author: Woei-Jiunn Tsaur Last modified by: im Created Date: 2/15/2006 5:14:16 AM Document presentation format – PowerPoint PPT presentation

Number of Views:77

Avg rating:3.0/5.0

Slides: 32

Provided by: WoeiJiu

Category:

more less

Transcript and Presenter's Notes

Title: Rootkit????????????

1
Rootkit????????????

??????????
??? ???
2008/03/07

2
??

???????
????
????
???Linux Kernel Mode Rootkit ??
???????
?????????

3
??????? (1/2)

???,????(Malware)?????????????????
????,????,????Rootkit?????????,????????????????,??
????
Rootkit??????????????????????????????????

4
??????? (2/2)

2005? Sony BMG ?????? Rootkit ??,?????????????????
,?????Rootkit???
????Rootkit????? http//www.rootkit.com
Rootkit Detectors ??,?? Detectors ???? ????????
?????Honeynet Project???,?????????, ???????

5
????

???????????????,????Rootkit???????????,???????????
????????Linux Kernel Mode Rootkit???????????????,?
?Rootkit Detectors??????
??????Rootkit???,?????????Detector
,??????????Detector???????,????????????

6
????(1/11)

??????????

7
????(2/11)

Rootkit???
Rootkit??????90???,rootkit????,?? root ? kit
???????
Rootkit??????????????????????,????? root
??????????,????????

8
????(3/11)

Rootkit??
??Windows?Linux??????????????(user
mode)???????(kernel mode)??????

9
????(4/11)

User Mode Rootkit
????Rootkit?????????????????????????

10
????(5/11)

Kernel Mode Rootkit
??????? kernel,?????????Rootkit,????????????,
????????????

11
????(6/11)
Kernel Mode Rootkit???????
12
????(7/11)

Rootkit??
????
???????????Rootkit???????
????
??????????????????/proc?,??sys_getdents()??????
??????
?????????/proc/net/tcp???/proc/net/udp????????,??s
ys_read()??????
???????
???sys_execve?????????Rootkit???????
Inline Function Hooking
Hoglund?Butler?????,???????(Runtime Pathing)??

13
????(8/11)
Inline Function Hooking ??
14
????(9/11)

???Kernel Mode Rootkit
Knark
??????????,??????????????????????fork?write?close
?clone?kill?mkdir?clone?getdents ??????????????
??
??????????TCP?UDP???????????????????????????????
Adore
??Kernel Mode Rootkit?????,???????????????????????
???
?????????root???????

15
????(10/11)

???????
????(Signature based detection)
??Rootkit??? (Chkrootkit)
????(Behavioral detection)
??Rootkit???????,???????(VICE?Patchfinder)
?????(Integrity based detection)
??????????????????? (Tripwire)
?????(Hardware detection)
???????????????PCI???,?Rootkit??????? (Copilot)
??????(Hardware detection)
??Windows common APIs ??????????,???(files)???(pro
cess)???(Registry key),????????????????????????
(Rootkit Revealer)

16
????(11/11)-????????
?? ??
???? ??????????????,?????????? ????????????
???? ????????????? ???????????
????? ????????????,???????????? ??????????
????? ?????CPU,???DMA???????? ????????????
?????? ???????????? ????Windows????
17
???Linux Kernel Mode Rootkit ??(1/2)
Adore????????????
KSTAT??Adore
18
???????Linux Rootkit(2/2)

???????????

???? ????
open 0x000A1F2
unlink 0x00003F16
rmdir 0x00009c57
19
?????????????
20
???Linux Kernel Mode Rootkit?????(1/2)
21
???Linux Kernel Mode Rootkit?????(2/2)
??Rootkit??????
Linux???????????????
22
???????