The Rootkit Primer - Below Gotham Labs

Recommendations

Info

Bootkits Bootkits use a Hybrid Approach They Use Binary and Runtime Patching They Execute in Real Mode and Protected Mode Load & Patch Iterative Technique Hook INT 0x13 (real-mode disk I/O interrupt) Scan for byte pattern of a target module Patch the module after it loads (and before it executes) Installed patch does the same for some following module This process repeats itself until startup has completed © Below Gotham Labs, 2009 24
Technique Countermeasures As in Gong Fu, for every tactic there is a counter tactic © Below Gotham Labs, 2009 25
Page 1 and 2: The Rootkit Primer Fear and Loathin
Page 3 and 4: What is a Rootkit? Here’s how the
Page 5 and 6: Design Goal != Implementation Don
Page 7 and 8: Exploit-Based Deployment Method #1
Page 9 and 10: How Do Rootkits Execute? The IA-32
Page 11 and 12: Kernel-Mode Modification User-Mode
Page 13 and 14: Call Tables Call Table ~ array of f
Page 15 and 16: Kernel Objects The Windows OS is
Page 17 and 18: BOOL flag; if(flag) { //do somethin
Page 19 and 20: Filter Drivers Filter drivers are i
Page 21 and 22: Hypervisors Rootkit (i.e. hyperviso
Page 23: COM Objects Component Object Model
Page 27 and 28: Do We Need to Hide? Traditional roo
Page 29 and 30: Forensic Analysis © Below Gotham L
Page 31 and 32: Storage Media Analysis Forensic Dup
Page 33 and 34: Anti-Forensics Traditional rootkits
Page 35 and 36: Surviving Reboot To persist or not
Page 37 and 38: The Four Evil Masters Media Analysi
Page 39 and 40: Persist by Infection 0-Day Exploit
Page 41 and 42: Who’s Building & Using Rootkits?
Page 43 and 44: Crooks The Crooks Notable Features
Page 45 and 46: Suits The Suits Notable Features Ha
Page 47 and 48: Case Study : Vodafone Greece* Where
Page 49 and 50: See How Bad It Is? Moral of the Sto
Page 51 and 52: Remember This? © Below Gotham Labs
Page 53 and 54: For More Information 850 pages, Wor

The Rootkit Primer - Below Gotham Labs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?