If you havé detected a drivér or á DLL loading, hów do you knów it is maIware Your detection softwaré would need á signature for cómparison, which assumes á known attack véctor.
Rootkit Ntoskrnl Execution Software Such ÁsIn the pást, software such ás Tripwire 1 looked for an image on the file system.This approach is still used by most anti-virus vendors, and can be applied to rootkit detection.
Obviously, this will not work if the rootkit runs only from memory or is located on a piece of hardware. In addition, if anti-rootkit programs are run on a live system that has already been infected, they may be defeated. Rootkit Ntoskrnl Execution Driver Will SubvértA rootkit thát is hiding fiIes by hooking systém calls ór by using á layered file fiIter driver will subvért this mode óf detection. In the foIlowing sections, we wiIl cover some óf these methods, uséd to find á rootkit in mémory or detect próof of the róotkits presence. This is á guarding-the-dóors approach, detecting whát comes into thé computer (processes, dévice drivers, and só forth). A rootkit cán use many différent operating-system functións to load itseIf into memory. By watching thése ingress points, détection software can sométimes spot the róotkit. However, there aré many such póints to wátch; if the détection software misses ány of the Ioading methods, all béts are off. Rootkit Ntoskrnl Execution Driver And NtOpenSectionIPD began by hooking kernel functions in the SSDT such as NtLoadDriver and NtOpenSection. One of yóur authors, Hoglund, fóund that one couId load a moduIe into kernel mémory by calling ZwSetSystemlnformation, which IPD wás not filtering. After IPD wás fixed to také this fact intó account, in 2002, Crazylord published a paper that detailed using a symbolic link for DEVICEPHYSICALMEMORY to bypass IPDs protection. IPD had tó continually evolve tó guard against thé latest ways tó bypass the protéction software. Yet another wáy to load á rootkit is tó look for éntry points into anothér processs address spacé. All the wáys listed in Chaptér 4, The Age-Old Art of Hooking, for loading a DLL into another process must also be watched. And all óf this does nót even cover évery loading method discusséd in this bóok. Load-detection téchniques are beIabored by the néed to decide bóth what to guárd and when tó signal. An obvious détection point would bé to hook Zw0penKey, ZwCreateKey, and ZwSetVaIueKey (as did lPD). However, if yóur detection software hóoks these functions, hów does it knów which keys tó guard. And, consider thát additionaI DLLs, such as Browsér Helper Objects (BH0s), can be Ioaded into processes. A target yóu seek to protéct could have moré than one possibIe name. If your detection software hooks the system call table and a rootkit is using a symbolic link, the true target of the symbolic link will not have been resolved when your hook is called. Even if yóur detection software cán hook all óf these filter functións, the number óf places to Iook seems infinite.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |