没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
Free ebooks ==> www.Ebook777.com
No Starch preSS
early acceSS program:
Feedback welcome!
Welcome to the Early Access edition of the as yet unpublished Rootkits
and Bootkits: Reversing Modern Malware and Next Generation Threats by Alex
Matrosov, Eugene Rodionov, and Sergey Bratus!
These chapters are in the process of being edited, so they have yet to
receive the benefits of our copyeditors and production staff and they’ve not
yet been composed in our page layout program. This also means that these
chapters may undergo substantial revision before publication, but we have
decided to offer them in our Early Access program because many of our
readers would like early information on important topics like these.
We encourage you to email us at earlyaccess@nostarch.com to share
your comments regarding the content, but please know that we will be run-
ning these chapters through extensive rounds of editing. In other words,
don’t worry about typos and other flubs, because our eagle-eyed editors
should catch those.
We’ll email you as new chapters become available. In the meantime,
enjoy!
www.Ebook777.com
rootkitS aNd bootkitS:
reverSiNg moderN malware
aNd Next geNeratioN threatS
alex matroSov, eugeNe rodioNov,
aNd Sergey bratuS
Early Access edition, 7/31/15
Copyright © 2015 by Alex Matrosov, Eugene Rodionov, and Sergey Bratus.
Publisher: William Pollock
Production Editor: Alison Law
Cover Illustration: Garry Booth
Developmental Editor: William Pollock
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press,
Inc. Other product and company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every occurrence of a trade-
marked name, we are using the names only in an editorial fashion and to the benefit of the
trademark owner, with no intention of infringement of the trademark.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any informa-
tion storage or retrieval system, without the prior written permission of the copyright owner
and the publisher.
The information in this book is distributed on an “As Is” basis, without warranty. While every
precaution has been taken in the preparation of this work, neither the author nor No Starch
Press, Inc. shall have any liability to any person or entity with respect to any loss or damage
caused or alleged to be caused directly or indirectly by the information contained in it.
brieF coNteNtS
Introduction
Part 1: rootkits
Chapter 1: What’s in a Rootkit: The TDL3 Case Study .............1
Chapter 2: Festi Rootkit: The Most Advanced Spam Bot
Chapter 3: Observing Rootkit Infections
Chapter 4: Rootkit Static Analysis: IDA Pro
Chapter 5: Rootkit Dynamic Analysis: WinDbg
Part 2: Bootkits
Chapter 6: Bootkit Background and History....................11
Chapter 7: The Windows Boot Process:
Bringing Up a System in a Trustworthy State ...........22
Chapter 8: From Rootkits (TDL3) to Bootkits (TDL4):
Bypassing Microsoft Kernel-Mode Code Signing Policy ...36
Chapter 9: Operating System Boot Process Essentials .............44
Chapter 10: Static Analysis of a Bootkit Using IDA Pro ............65
Chapter 11: Bootkit Dynamic Analysis: Emulators and Virtual Machines
Chapter 12: Evolving from MBR to VBR Bootkits: Mebromi & Olmasco
Chapter 13: VBR Bootkits: Rovnix & Carberp
Chapter 14: Gapz: Advanced VBR infection
Chapter 15: UEFI Boot vs. MBR/VBR
Chapter 16: Contemporary UEFI Bootkits
Part 3: Defense anD forensic techniques
Chapter 17: How Secure Boot Works
Chapter 18: HiddenFsReader: Bootkits Forensic Approaches
Chapter 19: CHIPsec: BIOS/UEFI Forensics
Part 4: aDvanceD reverse engineering
Chapter 20: Breaking Malware Cryptography
Chapter 21: Modern C++ Malware Reversing
Chapter 22: HexRaysCodeXplorer: Practical C++ Code Reconstruction
The chapters in red are included in this Early Access PDF.
Free ebooks ==> www.Ebook777.com
1
What’s in a Rootkit: The TDL3 Case Study
This chapter describes the TDL3 rootkit, a Windows rootkit that can serve as an example of
advanced control and data flow hijacking techniques that leverage the lower layers of the OS
architecture. Although TDL3’s infection mechanism has been rendered ineffective by
Microsoft’s kernel integrity measures introduced in 64-bit Window systems, these techniques for
interposing code within the kernel are still valuable. Indeed, TDL3 has been succeeded by TDL4,
which shares much of its evasion and anti-forensic functionality, but turned to bootkit techniques
to circumvent the Windows Kernel-mode Code Signing mechanism in 64-bit systems to carry
out its infection; we will describe these techniques in the chapter on bootkits.
This family of malware is also known as TDSS, Olmarik, or Alureon. Such profusion of
names for the same family is not uncommon, since antivirus vendors tend to come up with
different names in their reports, and it is also common for the same research team to assign
different names to different components of a common attack, especially during the early stages
of analysis.
Throughout this chapter we will point out specific OS interfaces and mechanism that TDL3
subverts. Our goal here is to show how this and similar rootkits are designed and how they work;
in chapter 3 we will show how they can be discovered, observed, and analyzed, and discuss the
tools to do so.
TDL3 distribution in the wild
First seen in 2010
1
, the TDL3 rootkit was one of the most sophisticated examples of malware
developed up to that time and its sophisticated stealth mechanisms posed a challenge to the entire
antivirus industry (and so did its successor TDL4, which extended TDL3 with bootkit technology
and became the first widely spread bootkit for the x64 platform).
TDL3 was distributed using a Pay-Per-Install (PPI) business model via the affiliates
DogmaMillions and GangstaBucks (since then taken down). The PPI scheme, popular among
cybercrime groups, resembles schemes commonly used for distributing browser toolbars.
Toolbar distributors have a special build with an embedded identifier (UID). This allows the
developer to calculate the number of installations (number of users) associated with that UID
(unique identifier provided to each downloaded package) and therefore for determining revenue.
1
http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf
Rootkits and Bootkits (Early Access)
© 2015 by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
1
www.Ebook777.com
剩余88页未读,继续阅读
资源评论
nikotin
- 粉丝: 5
- 资源: 37
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功