By- Mr. Omkar Pardeshi  Malware Analyst & Developeromkar.r.pardeshi@gmail.com
   Types of threats   Tools to Analyze threats   Methodology of analysis of Malwares.   Rootkit internals.   Fighting...
Basic Worm-Replicate Trojan-Stand alone File infector-Infect Adware, Spyware, Backdoor , Boot Sector Virus, Browser Hij...
   Sysinternal suit   Procmon Process explorer.   Regmon ,Regshot   Pe view   Systracer
   1982 Siberian pipeline sabotage   2001 Magic Lantern   2005 Sony BMG copy protection rootkit    scandal digital righ...
 is just a technology Subverting standard operating system. the design goals of a rootkit are to provide  three service...
 Real mode :-ring 3-MS-DOS kernel .- Interrupt Service Routines (ISRs). & Interrupt  vector table(IVT) . protected mode:...
User modeKernel mode
Os level
NTDLLNTDLL                                      Deliver                        NtqueryInfo        Modified          Ntoske...
0x20000x2100                        `         0x6500       NtQuerySystemInformation                                       ...
   AppInit_DLLs -    HKEY_LOCAL_MACHINESOFTWAREMicrosoft    Windows NT CurrentVersionWindows   Other ways   SetWindowsH...
   Code Injection     -inject dll     -Create Remote thread.     -write physical memory     -Hooking
   AppInit_DLLs   DllMain   Hook NtQuerySystemInformation   HookedNtQuerySystemInformationNtQuerySystemInformation(__i...
 HookedNtQuerySystemInformation(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__inout PVOID SystemInformation,__in...
   Get Address of SSDT   Get offset address of functions from SSDT   Save Address   Write Address of our function into...
 Ways root kit to system-SSDT hook-Shadow SSDT hook w32k.sys-FS callback-Registry Callback-Interrupt Descriptor Table (ID...
   Gmer   Rootkkit unhooker   Sysrevaler   Various rootkit scanners.   To stay secure use updated AV & install all   ...
   Questions…….?
Rootkit internales
Rootkit internales
Rootkit internales
Rootkit internales
Upcoming SlideShare
Loading in...5
×

Rootkit internales

1,439

Published on

null Mumbai April 2012 Monthly Meet

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,439
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Rootkit internales

  1. 1. By- Mr. Omkar Pardeshi Malware Analyst & Developeromkar.r.pardeshi@gmail.com
  2. 2.  Types of threats Tools to Analyze threats Methodology of analysis of Malwares. Rootkit internals. Fighting with Rootkit.
  3. 3. Basic Worm-Replicate Trojan-Stand alone File infector-Infect Adware, Spyware, Backdoor , Boot Sector Virus, Browser Hijacker, Macro Virus, Polymorphic Virus, Scripting Virus, Logic Bombs,Metamorphic .
  4. 4.  Sysinternal suit Procmon Process explorer. Regmon ,Regshot Pe view Systracer
  5. 5.  1982 Siberian pipeline sabotage 2001 Magic Lantern 2005 Sony BMG copy protection rootkit scandal digital rights management software called Extended Copy Protection. Mark Russinovich 2004–2005 Greek wiretapping case Rootkit.Duqu.A
  6. 6.  is just a technology Subverting standard operating system. the design goals of a rootkit are to provide three services:1>remote access.2> monitoring.3>concealment.
  7. 7.  Real mode :-ring 3-MS-DOS kernel .- Interrupt Service Routines (ISRs). & Interrupt vector table(IVT) . protected mode:- ring 0-system os loads in protected mode called ring 0 or os kernel mode-unprivileged area called ring 3 or user mode.
  8. 8. User modeKernel mode
  9. 9. Os level
  10. 10. NTDLLNTDLL Deliver NtqueryInfo Modified Ntoskernel. resultTaskmgr exe AppInitHook result Taskmgr After inject
  11. 11. 0x20000x2100 ` 0x6500 NtQuerySystemInformation NTDLL0x60000x6500 NtQuerySystemInformation Call to ntdll Ret 0x2100 AppInitHook
  12. 12.  AppInit_DLLs - HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NT CurrentVersionWindows Other ways SetWindowsHook. WriteProcessMemory+CreateRemoteThread Change in import table.
  13. 13.  Code Injection -inject dll -Create Remote thread. -write physical memory -Hooking
  14. 14.  AppInit_DLLs DllMain Hook NtQuerySystemInformation HookedNtQuerySystemInformationNtQuerySystemInformation(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__inout PVOID SystemInformation,__in ULONG SystemInformationLength,__out_opt PULONG ReturnLength )
  15. 15.  HookedNtQuerySystemInformation(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__inout PVOID SystemInformation,__in ULONG SystemInformationLength,__out_opt PULONG ReturnLength )Call to original NtQuerySystemInformationPMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;if (!wcsncmp(pNext->ImageName.Buffer, L"calc.exe", pNext- >ImageName.Length))Return result
  16. 16.  Get Address of SSDT Get offset address of functions from SSDT Save Address Write Address of our function into SSDT If query call is for our file deny access If not call original function from saved address.
  17. 17.  Ways root kit to system-SSDT hook-Shadow SSDT hook w32k.sys-FS callback-Registry Callback-Interrupt Descriptor Table (IDT)-Register Notify Routines-Windows hook-Driver hook-Dispach hook-keyboard hook-System thread-list goes on
  18. 18.  Gmer Rootkkit unhooker Sysrevaler Various rootkit scanners. To stay secure use updated AV & install all the security patches.
  19. 19.  Questions…….?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×