SlideShare a Scribd company logo

About rootkit

Download as PPT, PDF
용환 노
용환 노

This document discusses different types and generations of rootkits. Type I rootkits replace or modify system files without altering operating system code. Type II rootkits modify operating system code through techniques like API and SDT hooking. Type III rootkits use direct kernel object manipulation to modify dynamically allocated data and objects. Next generation rootkits may use virtualization. Detection methods include checking for import address table, inline hook, and system service dispatch table modifications.

Technology
1 of 16
ROOTKITs by somma (fixbrain@gmail.com)
22000-00-00 Contents Classification of ROOTKITs Type II ROOTKITs Type III ROOTKITs Next Generation ROOTKITs
Classification of ROOTKITs 1st Generation ( Type I ) Does not modify OS / Process / etc… -> replace / modified system file -> UNIX login backdoor (binary modification) 2nd Generation ( Type II ) Modifies which designed not to be modified -> code of process, modules, OS code, kernel modules, etc… -> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc… 3rd Generation ( Type III ) Modifies which designed to be modified -> data sections, heap, stack, etc… -> FU (Pioneer of DKOM - Direct Kernel Object Manipulation) The NEXT Generation virtualization ? 32000-00-00
Type II ROOTKITs NTIllusion Hacker defender NTRootkit - The first windows NT kernel based ROOTKIT Sony Rootkit modifies code section (e.g. Import table, Export table) user mode / Kernel mode APIs kernel mode undocumented APIs ISR (Interrupt Service Routine) MSR (Model Specific Register) … 42008-05-16
Type II ROOTKITs – cont. API Hooking 52008-05-16
Type II ROOTKITs – cont. SDT Hooking (http://somma.egloos.com/2731001) 62008-05-16
Type II ROOTKITs – cont. IDT Hooking (http://somma.egloos.com/3365054) 72008-05-16
Type II ROOTKITs – cont. DEMO - API Hooking (Ring 3) (CheatEngine) - Code Injection (Ring 3) (WinMine.exe hacking) - SDT hooking (Ring 0) (FxLoader / bkdp.sys) - IDT hooking (Ring 0) (SDFP – app.exe / template.sys – real machine) 82008-05-16
Type III ROOTKITs FU - The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation) He4Hook - RAW IRP hooking on File system driver PHIDE2 Layered driver (Filter driver) modifies data sections IRP handlers kernel objects that allocated and managed dynamically … 92008-05-16
Type III ROOTKITs – cont. Break EPROCESS list 102008-05-16
Type III ROOTKITs – cont. Break DRIVER_OBJECT list 112008-05-16
Type III ROOTKITs – cont. DEMO - FU rootkit - jeng_2 SDT hook & DKOM example 122008-05-16
Fighting ROOTKITs Check IAT (Import Address Table) Check inline hooks Check System Service Dispatch Table (ntoskrnl.exe) Check Shadow table (win32k.sys) Check Driver’s IRP handler Check MSR ( MSR_SYSENTER ) … how ? ECD (Explicit Compromise Detection) Cross View Based Detection use DKOM to find out ROOTKITs - dump PspCidTable - trace OS Scheduler data base, etc… Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx ) 132008-05-16
Fighting ROOTKITs – cont. DEMO - API Hook detection and API Hook removal hook_shield PlgnPETest.dll - Finding process FU hided by DKOM technique dump PspCidTable 142008-05-16
Next Generation ROOTKITs DEMO - Hypervisor based rootkit 152008-05-16
Q & A 162008-05-16

Recommended

Case Study 2: WINDOWS VISTA
Case Study 2: WINDOWS VISTACase Study 2: WINDOWS VISTA
Case Study 2: WINDOWS VISTAMunazza-Mah-Jabeen
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel DebuggingThomas Roccia
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
20110415 detour
20110415 detour20110415 detour
20110415 detourSeongahn Kim
 
Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Sc0tt
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 

Recommended

Case Study 2: WINDOWS VISTA
Case Study 2: WINDOWS VISTACase Study 2: WINDOWS VISTA
Case Study 2: WINDOWS VISTAMunazza-Mah-Jabeen
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel DebuggingThomas Roccia
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
20110415 detour
20110415 detour20110415 detour
20110415 detourSeongahn Kim
 
Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Sc0tt
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Factors affecting system performance
Factors affecting system performanceFactors affecting system performance
Factors affecting system performanceForrester High School
 
Factors which affect the speed of internet computer studies lesson
Factors which affect the speed of internet computer studies lessonFactors which affect the speed of internet computer studies lesson
Factors which affect the speed of internet computer studies lessonMukalele Rogers
 
Graphic Processing Unit (GPU)
Graphic Processing Unit (GPU)Graphic Processing Unit (GPU)
Graphic Processing Unit (GPU)Jafar Khan
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Anton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit AnalysisAnton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit AnalysisAnton Chuvakin
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Id. 01 router (computing)
Id. 01 router (computing)Id. 01 router (computing)
Id. 01 router (computing)Rawa KirKuKi
 
Block Drivers
Block DriversBlock Drivers
Block DriversAnil Kumar Pugalia
 
Unix.system.calls
Unix.system.callsUnix.system.calls
Unix.system.callsGRajendra
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Emertxe Information Technologies Pvt Ltd
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
ucOS
ucOSucOS
ucOSRamasubbu .P
 
New Zephyr features: LWM2M / FOTA Framework - SFO17-113
New Zephyr features: LWM2M / FOTA Framework - SFO17-113New Zephyr features: LWM2M / FOTA Framework - SFO17-113
New Zephyr features: LWM2M / FOTA Framework - SFO17-113Linaro
 
دورة الصيانة السريعة للحاسب الالي
دورة الصيانة السريعة للحاسب الاليدورة الصيانة السريعة للحاسب الالي
دورة الصيانة السريعة للحاسب الاليzozohmr
 
3DD 1e Linux
3DD 1e Linux3DD 1e Linux
3DD 1e LinuxMarco Santambrogio
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Generation of computer
Generation of computerGeneration of computer
Generation of computerMainul Morshed
 

More Related Content

Viewers also liked

Factors affecting system performance
Factors affecting system performanceFactors affecting system performance
Factors affecting system performanceForrester High School
 
Factors which affect the speed of internet computer studies lesson
Factors which affect the speed of internet computer studies lessonFactors which affect the speed of internet computer studies lesson
Factors which affect the speed of internet computer studies lessonMukalele Rogers
 
Graphic Processing Unit (GPU)
Graphic Processing Unit (GPU)Graphic Processing Unit (GPU)
Graphic Processing Unit (GPU)Jafar Khan
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 

Viewers also liked (6)

Factors affecting system performance
Factors affecting system performanceFactors affecting system performance
Factors affecting system performance
 
Factors which affect the speed of internet computer studies lesson
Factors which affect the speed of internet computer studies lessonFactors which affect the speed of internet computer studies lesson
Factors which affect the speed of internet computer studies lesson
 
Graphic Processing Unit (GPU)
Graphic Processing Unit (GPU)Graphic Processing Unit (GPU)
Graphic Processing Unit (GPU)
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 

Similar to About rootkit

Anton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit AnalysisAnton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit AnalysisAnton Chuvakin
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Id. 01 router (computing)
Id. 01 router (computing)Id. 01 router (computing)
Id. 01 router (computing)Rawa KirKuKi
 
Unix.system.calls
Unix.system.callsUnix.system.calls
Unix.system.callsGRajendra
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
New Zephyr features: LWM2M / FOTA Framework - SFO17-113
New Zephyr features: LWM2M / FOTA Framework - SFO17-113New Zephyr features: LWM2M / FOTA Framework - SFO17-113
New Zephyr features: LWM2M / FOTA Framework - SFO17-113Linaro
 
دورة الصيانة السريعة للحاسب الالي
دورة الصيانة السريعة للحاسب الاليدورة الصيانة السريعة للحاسب الالي
دورة الصيانة السريعة للحاسب الاليzozohmr
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Generation of computer
Generation of computerGeneration of computer
Generation of computerMainul Morshed
 
Hard soft1
Hard soft1Hard soft1
Hard soft1HU-man
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New HardwareRuggedBoardGroup
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 

Similar to About rootkit (20)

Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Anton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit AnalysisAnton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit Analysis
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
 
Id. 01 router (computing)
Id. 01 router (computing)Id. 01 router (computing)
Id. 01 router (computing)
 
Block Drivers
Block DriversBlock Drivers
Block Drivers
 
Unix.system.calls
Unix.system.callsUnix.system.calls
Unix.system.calls
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
ucOS
ucOSucOS
ucOS
 
New Zephyr features: LWM2M / FOTA Framework - SFO17-113
New Zephyr features: LWM2M / FOTA Framework - SFO17-113New Zephyr features: LWM2M / FOTA Framework - SFO17-113
New Zephyr features: LWM2M / FOTA Framework - SFO17-113
 
دورة الصيانة السريعة للحاسب الالي
دورة الصيانة السريعة للحاسب الاليدورة الصيانة السريعة للحاسب الالي
دورة الصيانة السريعة للحاسب الالي
 
3DD 1e Linux
3DD 1e Linux3DD 1e Linux
3DD 1e Linux
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Generation of computer
Generation of computerGeneration of computer
Generation of computer
 
Hard soft1
Hard soft1Hard soft1
Hard soft1
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

About rootkit

  • 2. 22000-00-00 Contents Classification of ROOTKITs Type II ROOTKITs Type III ROOTKITs Next Generation ROOTKITs
  • 3. Classification of ROOTKITs 1st Generation ( Type I ) Does not modify OS / Process / etc… -> replace / modified system file -> UNIX login backdoor (binary modification) 2nd Generation ( Type II ) Modifies which designed not to be modified -> code of process, modules, OS code, kernel modules, etc… -> NTRootkit (Pioneer of Windows Kernel based ROOTKIT), NTIllusion, etc… 3rd Generation ( Type III ) Modifies which designed to be modified -> data sections, heap, stack, etc… -> FU (Pioneer of DKOM - Direct Kernel Object Manipulation) The NEXT Generation virtualization ? 32000-00-00
  • 4. Type II ROOTKITs NTIllusion Hacker defender NTRootkit - The first windows NT kernel based ROOTKIT Sony Rootkit modifies code section (e.g. Import table, Export table) user mode / Kernel mode APIs kernel mode undocumented APIs ISR (Interrupt Service Routine) MSR (Model Specific Register) … 42008-05-16
  • 5. Type II ROOTKITs – cont. API Hooking 52008-05-16
  • 6. Type II ROOTKITs – cont. SDT Hooking (http://somma.egloos.com/2731001) 62008-05-16
  • 7. Type II ROOTKITs – cont. IDT Hooking (http://somma.egloos.com/3365054) 72008-05-16
  • 8. Type II ROOTKITs – cont. DEMO - API Hooking (Ring 3) (CheatEngine) - Code Injection (Ring 3) (WinMine.exe hacking) - SDT hooking (Ring 0) (FxLoader / bkdp.sys) - IDT hooking (Ring 0) (SDFP – app.exe / template.sys – real machine) 82008-05-16
  • 9. Type III ROOTKITs FU - The first ROOTKIT introduce DKOM (Direct Kernel Object Manipulation) He4Hook - RAW IRP hooking on File system driver PHIDE2 Layered driver (Filter driver) modifies data sections IRP handlers kernel objects that allocated and managed dynamically … 92008-05-16
  • 10. Type III ROOTKITs – cont. Break EPROCESS list 102008-05-16
  • 11. Type III ROOTKITs – cont. Break DRIVER_OBJECT list 112008-05-16
  • 12. Type III ROOTKITs – cont. DEMO - FU rootkit - jeng_2 SDT hook & DKOM example 122008-05-16
  • 13. Fighting ROOTKITs Check IAT (Import Address Table) Check inline hooks Check System Service Dispatch Table (ntoskrnl.exe) Check Shadow table (win32k.sys) Check Driver’s IRP handler Check MSR ( MSR_SYSENTER ) … how ? ECD (Explicit Compromise Detection) Cross View Based Detection use DKOM to find out ROOTKITs - dump PspCidTable - trace OS Scheduler data base, etc… Virtual Machine Monitor (http://northsecuritylabs.com/products.aspx ) 132008-05-16
  • 14. Fighting ROOTKITs – cont. DEMO - API Hook detection and API Hook removal hook_shield PlgnPETest.dll - Finding process FU hided by DKOM technique dump PspCidTable 142008-05-16
  • 15. Next Generation ROOTKITs DEMO - Hypervisor based rootkit 152008-05-16