The document provides an overview of techniques for hunting rootkits with Windbg. It discusses how to find SSDT and Shadow SSDT hooks, including examples from the Runtime2, Rustock.B, and Alipop rootkits. It also covers finding hidden registry entries and IDT hooks in Rustock.B, GDT callgates in Alipop, ATAPI IRP hooks in TDL3, shared memory structures between kernel and user mode in TDL3, TDL3's mini file system, traces of TDL3 in system worker threads, how TDL4 hooks the ATAPI driver's DriverStartIO, and how Stuxnet uses IoFsRegistrationChange. The document is intended to
On 40 slides i will introduce the main features of the powerful forensic framework Volatility. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Page cache mechanism in Linux kernel.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides guidance on setting up a virtual machine environment for malware analysis. It recommends choosing a virtualization software like VirtualBox and installing necessary analysis tools. Key tools mentioned include debuggers like OllyDbg, decompilers, disassemblers like IDA and Ghidra, frameworks like Java and .NET, and network monitors. The document outlines best practices like taking snapshots, using host-only networking to contain malware, and automating setup with scripts. It then describes carrying out a malware analysis workflow through static analysis, dynamic analysis, and manual debugging.
Summary of linux kernel security protectionsShubham Dubey
Linux kernel goes through very rapid changes each release. Over each release new protections and mitigations are added to make it more secure against different category of attacks. Unlike other platform, Linux security features are not advertise enough and most of the time limit to a mail thread. Since Linux is getting popular day by day in different sectors of industries, it is important for a researcher or an administrator to be aware about what protection it provide against sophisticated attacks targeting Linux kernel. In this session, I will take you through the different security features that Linux kernel has introduced over years and their limitations or bypasses. We will go though few demos to verify the working and bypasses of these protections. In the end I will discuss what is missing on Linux kernel that can be improved in future. This talk will help security researcher in identify the current Linux security protection and gaps presents in Linux kernel. With this knowledge they can tweak their product, for example an AV vendor working on Linux security need to be aware what protection is already present before working on something new. A developer dealing with Linux kernel development can also utilize this session to identify the security issues their code may hold and things they need to take care and ignore to make their modules or components secure
The document provides an overview of the initialization phase of the Linux kernel. It discusses how the kernel enables paging to transition from physical to virtual memory addresses. It then describes the various initialization functions that are called by start_kernel to initialize kernel features and architecture-specific code. Some key initialization tasks discussed include creating an identity page table, clearing BSS, and reserving BIOS memory.
On 40 slides i will introduce the main features of the powerful forensic framework Volatility. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Page cache mechanism in Linux kernel.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides guidance on setting up a virtual machine environment for malware analysis. It recommends choosing a virtualization software like VirtualBox and installing necessary analysis tools. Key tools mentioned include debuggers like OllyDbg, decompilers, disassemblers like IDA and Ghidra, frameworks like Java and .NET, and network monitors. The document outlines best practices like taking snapshots, using host-only networking to contain malware, and automating setup with scripts. It then describes carrying out a malware analysis workflow through static analysis, dynamic analysis, and manual debugging.
Summary of linux kernel security protectionsShubham Dubey
Linux kernel goes through very rapid changes each release. Over each release new protections and mitigations are added to make it more secure against different category of attacks. Unlike other platform, Linux security features are not advertise enough and most of the time limit to a mail thread. Since Linux is getting popular day by day in different sectors of industries, it is important for a researcher or an administrator to be aware about what protection it provide against sophisticated attacks targeting Linux kernel. In this session, I will take you through the different security features that Linux kernel has introduced over years and their limitations or bypasses. We will go though few demos to verify the working and bypasses of these protections. In the end I will discuss what is missing on Linux kernel that can be improved in future. This talk will help security researcher in identify the current Linux security protection and gaps presents in Linux kernel. With this knowledge they can tweak their product, for example an AV vendor working on Linux security need to be aware what protection is already present before working on something new. A developer dealing with Linux kernel development can also utilize this session to identify the security issues their code may hold and things they need to take care and ignore to make their modules or components secure
The document provides an overview of the initialization phase of the Linux kernel. It discusses how the kernel enables paging to transition from physical to virtual memory addresses. It then describes the various initialization functions that are called by start_kernel to initialize kernel features and architecture-specific code. Some key initialization tasks discussed include creating an identity page table, clearing BSS, and reserving BIOS memory.
Kitabımızın son 4 bölümünü içermektedir.
BÖLÜM 4: MALWARE TEMEL DİNAMİK ANALİZ
• Backdoor Temel Dinamik Analiz
• Kalıcı Meterpreter Dinamik Analiz
• Keylogger Temel Dinamik Analiz
• Reverse Shell Temel Dinamik Analiz
• PMA Lab 03-01 Temel Dinamik Analiz
• PMA Lab 03-02 Temel Dinamik Analiz
• PMA Lab 03-03 Temel Dinamik Analiz
• PMA Lab 03-04 Temel Dinamik Analiz
BÖLÜM 5: ASSEMBLY
• Register Kod Yapısı
• Veri Aktarım Komutları
• Adresleme Modları
• Veri Tanımlamaları
• Kontrol Yapıları ve Döngüler
• String İşlemleri
• Aritmetik Mantık Komutları
• İşletim Sistemi ve BIOS İlişkisi
• Ekran ve Klavye İşlemleri
• Temel Giriş ve Çıkış Teknikleri
• Alt Programlarla Bağlantı Kurma
• Kaydırma ve Yönlendirme İşlemleri
• Aritmetik İşlemler
• Diziler
• Klasör ve Dosya İşlemleri
BÖLÜM 6: İLERİ SEVİYE MALWARE ANALİZ
• IDA ile Disassembly
• Backdoor İleri Seviye Malware Analiz
• IDA Pro ile Keylogger Analiz
• PMA Lab 07-01 Analiz
• PMA Lab 07-02 Analiz
• PMA Lab 07-03 Analiz
• PMA Lab 09-01 Analiz
• PMA Lab 09-02 Analiz
• PMA Lab 09-03 Analiz
BÖLÜM 7: BELLEK DÖKÜM ANALİZİ
• PMA Lab 03-01 Bellek Döküm Analizi
• PMA Lab 03-03 Bellek Döküm Analizi
Standard File Permissions:
Read
write
execute
Special File Permissions:
The Setuid bit (set user identifier).
The Setgid bit (set group identifier).
The Sticky bit
to visit www.excavatorinfo.com
The document provides an overview of Oracle Database locking mechanisms. It discusses the different types of locks used in Oracle including row-level locks, table-level locks, and different lock modes. It describes how Oracle uses row-level locking to allow non-blocking queries and read consistency. The document also covers advanced locking scenarios like deadlocks and blocked inserts. It concludes with demonstrating how to monitor locks using Oracle dictionary views and tools to identify blocked sessions.
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
Fundamentals of Linux Memory Management and CMA (Contiguous Memory Allocator) In Linux.
Virtual Memory, Physical Memory, Swap Space, DMA, IOMMU, Paging, Segmentation, TLB, Hugepages, Ion google memory manager
This document provides a summary of common WinDbg commands grouped thematically. It includes commands for debugging sessions, expressions, symbols, sources, exceptions, modules, processes, threads, and more. Each command is listed along with its variants, parameters, and description.
This is the presentation I have in OS course. Mainly focus on the linux file system part and only points out the difference about the Windows file system of NTFS, but I have not dig into it.
This document provides an overview of Logical Volume Management (LVM) including its core components and functionality. LVM allows for flexible, online storage management through the creation of logical volumes atop physical volumes. It supports resizing storage pools, online data relocation, disk striping, mirroring volumes, and volume snapshots. The key components are physical volumes (PVs), volume groups (VGs), and logical volumes (LVs). PVs can be partitions or entire disks. VGs pool multiple PVs into a single storage space with extents. LVs are then created within VGs with properties like linear, striped, or mirrored layouts. Device mapper provides access to LVs and handles tasks like mirroring and
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
Systemd is a system and service manager that replaces sysvinit. It manages services, devices, mounts and other system components. It relies on control groups (cgroups) to isolate and manage processes and resources for each service. Services are configured through declarative unit files instead of shell scripts. Systemd provides features like socket activation, timers, and integrates with journald for logging.
Resource Access Control Facility (RACF) in MainframesAayush Singh
This document provides an overview of RACF (Resource Access Control Facility), an IBM product that controls access to system resources on z/OS. It describes the different types of profiles (user, group, dataset, generic) stored in the RACF database and the commands used to manage them. Authorities like SPECIAL, OPERATIONS, and AUDITOR are assigned to users and groups. RACF enforces access based on these profiles and can revoke or protect access.
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides an overview of the Metasploit framework, including what it is used for, its key capabilities, and basic terminology. Metasploit is an open-source penetration testing framework that contains exploits and tools to test vulnerabilities. It allows identifying security weaknesses without needing deep technical knowledge. The document defines common terms like vulnerabilities, exploits, and payloads, and outlines the basic steps of an attack using Metasploit such as gathering target information, selecting an exploit, and executing it.
SMOne ManageEngine PAM360- Giải pháp quản lý tài khoản đặc quyềnPhuong Nghiem Sy Tam
ManageEngine PAM360 cung cấp cho các doanh nghiệp đang đứng trước nguy cơ ngày càng tăng này với chương trình quản lý truy cập đặc quyền (PAM) mạnh mẽ, đảm bảo không có con đường nào để truy cập đặc quyền đến các tài sản quan trọng không được quản lý, không xác định hoặc không được giám sát.
PAM360 là một giải pháp toàn diện cho các doanh nghiệp muốn kết hợp PAM vào các hoạt động bảo mật tổng thể của họ. Với khả năng tích hợp theo ngữ cảnh của PAM360, bạn có thể xây dựng bảng điều khiển trung tâm nơi các phần khác nhau trong hệ thống quản lý CNTT của bạn kết nối với nhau để cho ra được sự tương quan sâu hơn với dữ liệu truy cập đặc quyền và dữ liệu mạng tổng thể, tạo điều kiện cho các đánh giá đầy đủ và đưa ra cách khắc phục nhanh hơn.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
The document discusses anti-forensic rootkits and techniques that can manipulate digital evidence collected through live forensic imaging. It presents DDefy, a proof-of-concept anti-forensic rootkit that intercepts disk read requests and modifies the data returned to hide sensitive information from live forensic tools. DDefy demonstrates that current live imaging methods are insufficient to guarantee collection of untainted evidence, as they rely on the compromised system to provide the data. Better techniques are needed to directly acquire disk data and confirm it matches the kernel and userland views.
Kitabımızın son 4 bölümünü içermektedir.
BÖLÜM 4: MALWARE TEMEL DİNAMİK ANALİZ
• Backdoor Temel Dinamik Analiz
• Kalıcı Meterpreter Dinamik Analiz
• Keylogger Temel Dinamik Analiz
• Reverse Shell Temel Dinamik Analiz
• PMA Lab 03-01 Temel Dinamik Analiz
• PMA Lab 03-02 Temel Dinamik Analiz
• PMA Lab 03-03 Temel Dinamik Analiz
• PMA Lab 03-04 Temel Dinamik Analiz
BÖLÜM 5: ASSEMBLY
• Register Kod Yapısı
• Veri Aktarım Komutları
• Adresleme Modları
• Veri Tanımlamaları
• Kontrol Yapıları ve Döngüler
• String İşlemleri
• Aritmetik Mantık Komutları
• İşletim Sistemi ve BIOS İlişkisi
• Ekran ve Klavye İşlemleri
• Temel Giriş ve Çıkış Teknikleri
• Alt Programlarla Bağlantı Kurma
• Kaydırma ve Yönlendirme İşlemleri
• Aritmetik İşlemler
• Diziler
• Klasör ve Dosya İşlemleri
BÖLÜM 6: İLERİ SEVİYE MALWARE ANALİZ
• IDA ile Disassembly
• Backdoor İleri Seviye Malware Analiz
• IDA Pro ile Keylogger Analiz
• PMA Lab 07-01 Analiz
• PMA Lab 07-02 Analiz
• PMA Lab 07-03 Analiz
• PMA Lab 09-01 Analiz
• PMA Lab 09-02 Analiz
• PMA Lab 09-03 Analiz
BÖLÜM 7: BELLEK DÖKÜM ANALİZİ
• PMA Lab 03-01 Bellek Döküm Analizi
• PMA Lab 03-03 Bellek Döküm Analizi
Standard File Permissions:
Read
write
execute
Special File Permissions:
The Setuid bit (set user identifier).
The Setgid bit (set group identifier).
The Sticky bit
to visit www.excavatorinfo.com
The document provides an overview of Oracle Database locking mechanisms. It discusses the different types of locks used in Oracle including row-level locks, table-level locks, and different lock modes. It describes how Oracle uses row-level locking to allow non-blocking queries and read consistency. The document also covers advanced locking scenarios like deadlocks and blocked inserts. It concludes with demonstrating how to monitor locks using Oracle dictionary views and tools to identify blocked sessions.
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
Fundamentals of Linux Memory Management and CMA (Contiguous Memory Allocator) In Linux.
Virtual Memory, Physical Memory, Swap Space, DMA, IOMMU, Paging, Segmentation, TLB, Hugepages, Ion google memory manager
This document provides a summary of common WinDbg commands grouped thematically. It includes commands for debugging sessions, expressions, symbols, sources, exceptions, modules, processes, threads, and more. Each command is listed along with its variants, parameters, and description.
This is the presentation I have in OS course. Mainly focus on the linux file system part and only points out the difference about the Windows file system of NTFS, but I have not dig into it.
This document provides an overview of Logical Volume Management (LVM) including its core components and functionality. LVM allows for flexible, online storage management through the creation of logical volumes atop physical volumes. It supports resizing storage pools, online data relocation, disk striping, mirroring volumes, and volume snapshots. The key components are physical volumes (PVs), volume groups (VGs), and logical volumes (LVs). PVs can be partitions or entire disks. VGs pool multiple PVs into a single storage space with extents. LVs are then created within VGs with properties like linear, striped, or mirrored layouts. Device mapper provides access to LVs and handles tasks like mirroring and
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
Systemd is a system and service manager that replaces sysvinit. It manages services, devices, mounts and other system components. It relies on control groups (cgroups) to isolate and manage processes and resources for each service. Services are configured through declarative unit files instead of shell scripts. Systemd provides features like socket activation, timers, and integrates with journald for logging.
Resource Access Control Facility (RACF) in MainframesAayush Singh
This document provides an overview of RACF (Resource Access Control Facility), an IBM product that controls access to system resources on z/OS. It describes the different types of profiles (user, group, dataset, generic) stored in the RACF database and the commands used to manage them. Authorities like SPECIAL, OPERATIONS, and AUDITOR are assigned to users and groups. RACF enforces access based on these profiles and can revoke or protect access.
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
This document provides an overview of the Metasploit framework, including what it is used for, its key capabilities, and basic terminology. Metasploit is an open-source penetration testing framework that contains exploits and tools to test vulnerabilities. It allows identifying security weaknesses without needing deep technical knowledge. The document defines common terms like vulnerabilities, exploits, and payloads, and outlines the basic steps of an attack using Metasploit such as gathering target information, selecting an exploit, and executing it.
SMOne ManageEngine PAM360- Giải pháp quản lý tài khoản đặc quyềnPhuong Nghiem Sy Tam
ManageEngine PAM360 cung cấp cho các doanh nghiệp đang đứng trước nguy cơ ngày càng tăng này với chương trình quản lý truy cập đặc quyền (PAM) mạnh mẽ, đảm bảo không có con đường nào để truy cập đặc quyền đến các tài sản quan trọng không được quản lý, không xác định hoặc không được giám sát.
PAM360 là một giải pháp toàn diện cho các doanh nghiệp muốn kết hợp PAM vào các hoạt động bảo mật tổng thể của họ. Với khả năng tích hợp theo ngữ cảnh của PAM360, bạn có thể xây dựng bảng điều khiển trung tâm nơi các phần khác nhau trong hệ thống quản lý CNTT của bạn kết nối với nhau để cho ra được sự tương quan sâu hơn với dữ liệu truy cập đặc quyền và dữ liệu mạng tổng thể, tạo điều kiện cho các đánh giá đầy đủ và đưa ra cách khắc phục nhanh hơn.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
The document discusses anti-forensic rootkits and techniques that can manipulate digital evidence collected through live forensic imaging. It presents DDefy, a proof-of-concept anti-forensic rootkit that intercepts disk read requests and modifies the data returned to hide sensitive information from live forensic tools. DDefy demonstrates that current live imaging methods are insufficient to guarantee collection of untainted evidence, as they rely on the compromised system to provide the data. Better techniques are needed to directly acquire disk data and confirm it matches the kernel and userland views.
Mit dem TV Sender JOIZ erhielt die Schweizer TV Landschaft vor kurzem einen Vorreiter in Sachen Social TV. Doch was umfasst Social TV im eigentlichen Sinne? Darüber spricht Bertram Gugel, Trend- und Medienforscher aus Berlin, der sich über 7 Jahren mit Social TV befasst und uns damit einen umfassenden Einblick in die Trends geben wird.
1) The document describes a proposed design for a free-standing wing mast for a recreational catboat made of composite materials.
2) A free-standing wing mast would have no columns and instead use wing-like structures, providing more room on board and easier maintenance than traditional masted designs.
3) Finite element modeling was used to optimize the mast design, testing different cross-sections, materials, and layups to minimize weight while maintaining strength.
4) The design process showed that a free-standing composite wing mast could be cheaper to produce than traditional designs using vacuum bagging and lower-temperature curing, though a physical prototype is still needed to validate the manufacturing process and structural models.
Apple has announced a new line of products including the Apple Watch, a small computer and monitor worn around the wrist that comes in three styles and sizes and functions like an iPod with applications designed for quick use on the wrist; the Watch also tracks fitness stats and goals to help improve the user's lifestyle.
Dios observa a una persona levantarse por la mañana y estar demasiado ocupada para notar las maravillas de la naturaleza como el cielo lleno de colores y cantos de pájaros. A lo largo del día, la persona se mantiene ocupada con el trabajo y actividades sin darse cuenta de la presencia de Dios. A pesar de la falta de atención, Dios continúa amando a la persona y esperando tener algún tiempo con ella.
The more iconic species you see on Galápagos Islands, the more rewardingand memorable your experience will be! www.metropolitan-touring.com/galapagos-big15
Recomendaiones de seguridad para celularesICELL S.A.
Este documento proporciona recomendaciones de seguridad para dispositivos móviles. Explica cómo bloquear un dispositivo perdido, localizarlo en un mapa, realizar copias de seguridad automáticas de datos y hacer sonar el dispositivo para encontrarlo. También describe cómo crear una cuenta de seguridad, activar el rastreo de ubicación y borrar el dispositivo de forma remota para proteger la información personal.
The Script Around The World - interviews with fans of The ScriptAndrea Michaels
This document summarizes interviews with two fans of the band The Script, one from South Africa and one from the Philippines. It discusses how they discovered The Script's music, whether the band is popular in their home countries, their favorite members and songs. It also shares stories about crazy things they've done as fans, such as missing school to attend concerts or flying across the world to see a show. Both fans discuss what they love about being part of The Script's dedicated global fan base, known as The Script Family.
Sixty-one organizations within the NeighborWorks network, representing over 4,200 employees across 27 states, have achieved the NeighborWorks Green Organization designation by incorporating green practices into their operations, housing developments, and community efforts. This document highlights and celebrates the 19 organizations that newly achieved the designation in 2014 through accomplishments like building ENERGY STAR certified homes, weatherizing properties, establishing community gardens, and more. It discusses how these organizations are leading efforts to create a greener future for their communities and residents.
El poema habla sobre la amistad y lo que un amigo puede y no puede hacer por otro. Un amigo puede escuchar y compartir, estar presente en los momentos difíciles pero no puede cambiar el pasado o futuro de otro ni evitar que sufran. Aunque no pueden quitar el dolor, pueden llorar juntos. Lo más importante es aceptar al otro tal como es y brindar amor incondicional.
A continuación se presentan los aspectos más relevantes, positivos e interesantes, así como las ideas principales del capítulo 10 "Retos y dilemas sobre el financiamiento de la educación superior en América Latina y el Caribe" del documento “Tendencias de la educación superior en América Latina y el Caribe”.
Full version of http://www.slideshare.net/valexiev1/gvp-lodcidocshort. Same is available on http://vladimiralexiev.github.io/pres/20140905-CIDOC-GVP/index.html
CIDOC Congress, Dresden, Germany
2014-09-05: International Terminology Working Group: full version.
2014-09-09: Getty special session: short version
El manuscrito Voynich es un misterioso libro ilustrado escrito hace 500 años en un alfabeto y lenguaje desconocidos. Contiene secciones sobre herbarios, astronomía, biología y recetas con ilustraciones. A pesar de intensos estudios, ningún experto ha podido descifrar el texto. Se desconoce su autoría pero se cree que fue escrito en el norte de Italia entre 1404 y 1438.
The document describes the objectives and features of the Asia Pacific DealFlow platform, which allows agents and investors to share and market deal opportunities. The platform aims to:
1) Create a database for agents to share their deal pipelines with other agents and market deals to investors.
2) Provide an independent platform for agents to share corporate finance and venture capital deals.
3) Allow users to create profiles, publish articles, and interact through social media features to promote deals and their expertise.
El documento describe el software AQUAD v.6, un programa de análisis cualitativo de datos. Explica que AQUAD presenta varios menús como Proyecto, Archivos, Codificación, Búsqueda, Tablas, Vínculos e Implicación que permiten gestionar proyectos, codificar datos, buscar patrones y crear teorías. Finalmente, detalla los pasos para abrir un proyecto existente en AQUAD que incluye una entrevista codificada.
The document discusses exploiting vulnerabilities in the Windows registry and kernel to execute malicious code without detection. It describes how vulnerabilities in functions like RtlQueryRegistryValues and win32k.sys that improperly read registry values can be triggered to cause a buffer overflow and gain kernel code execution. The goal is to store malicious code in the registry and have it execute by exploiting these vulnerabilities during system startup before detection can occur.
IRQs: the Hard, the Soft, the Threaded and the PreemptibleAlison Chaiken
The Linux kernel supports a diverse set of interrupt handlers that partition work into immediate and deferred tasks. The talk introduces the major varieties and explains how IRQs differ in the real-time kernel.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
This document contains the slides from a presentation given by WonoKaerun at the Indonesian Security Conference 2011 in Palembang. The presentation introduces rootkits and techniques for hiding malware at the kernel level on Linux systems. It covers topics like loadable kernel modules, interrupt descriptor table hooking, virtual file system hacking, page fault handler hijacking, debugging register abuse, and kernel instrumentation patching. The goal is to evade detection by security solutions by gaining control of the kernel before anti-rootkit defenses can activate. Throughout, the document emphasizes the cat-and-mouse nature of offensive and defensive security research.
Introduction to freebsd_6_kernel_hackingSusant Sahani
This document provides an introduction to customizing the FreeBSD 6 kernel through kernel module programming. It discusses topics such as the anatomy of a kernel module, including the use of DECLARE_MODULE and Makefiles. It also covers exporting configuration parameters through sysctl variables, and installing packet filters (PFIL) hooks. The document is intended to act as a primer for those new to FreeBSD kernel programming.
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
Wonder walk in Rootkit Land by Himanshu KhokharOWASP Delhi
This document discusses user mode rootkits and provides examples of LD_PRELOAD and ptrace()-based rootkits. It begins with definitions of rootkits and describes different types including user mode and kernel mode. It then demonstrates an LD_PRELOAD rootkit that hijacks the strcmp() function and modifies its behavior. Another example hijacks the rand() function. The document notes that ptrace()-based rootkits can work on statically linked binaries but are more difficult to implement than LD_PRELOAD and not worth the effort.
Sysdig is an open source container monitoring and security platform that provides visibility into containerized applications. It includes sysdig for troubleshooting and inspection, sysdig monitor for runtime security and performance monitoring, and sysdig secure for compliance and threat detection. Sysdig uses system calls to provide filtering and inspection capabilities similar to tcpdump. It supports containers, Kubernetes, Docker, and other orchestration platforms. Sysdig also includes chisels for aggregating and reporting on event sequences and Falco for behavioral monitoring and detecting suspicious activity defined through rules.
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
Linux io introduction-fudcon-2015-with-demo-slidesKASHISH BHATIA
Linux provide facilities to expose emulated LUNs to initiators using Linux-IO (LIO) scsi target implementation . LIO not only support exposing conventional block devices but also supports other storage interfaces like file or memory based LUNs. Also it supports multiple fabric interfaces - FC, FCoE, iscsi and many more.
LIO can be used in SAN environments with minimal storage resources.
Native support for LIO in linux hypervisors and in Openstack make it a good storage option for cloud deployments.
This presentation includes demo slides with LIO iscsi target implementation.
Securing Applications and Pipelines on a Container PlatformAll Things Open
The document discusses securing applications on a container platform. It covers considerations for security at the host operating system level, during container builds, and at runtime. Specific techniques discussed include Linux namespaces and cgroups for isolation, SELinux and MCS labels for access control between containers, capability dropping to restrict privileges, and read-only mounts. Container scanning and signing images are also covered.
Bridging the gap between hardware and software tracingChristian Babeux
For a numbers of years, silicon vendors have been providing hardware tracing facilities to embedded developers. By using these, developers can resolve performance and latency issues more quickly, resulting in shorter time to market. In this talk, we will cover the hardware based tracing facilities offered by various manufacturers and see how they differ from their software counterparts with respect to their instrumentation capabilities, transport mechanisms, output formats, etc. We will also show how joint hardware and software tracing can be used by developers to gain deeper insights in their applications’ behaviour. Finally, we will outline the on-going work within the Linux Trace Toolkit next generation (LTTng) project to enhance hardware tracing support and tracing data visualization.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
This document discusses analyzing Linux rootkits using Volatility, an open source memory forensics framework. It analyzes several Linux rootkits including Average Coder, KBeast, and Jynx/Jynx 2. For each rootkit, it describes the rootkit's techniques for hiding processes, files, network connections and how Volatility plugins like linux_check_fop, linux_check_modules, linux_check_syscall, and linux_check_afinfo can detect the rootkit by validating file operations structures, the kernel module list, system call tables, and network operations structures. It also shows how Volatility can recover hidden files, processes, network connections, and shared libraries loaded by the root
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
Advanced malware such as TDL4, Rovnix, Gapz, Omasco, Mebromi and others have exposed in recent years various techniques used to circumvent the usual defenses and have shown how much companies are not prepared to deal with these sophisticated threats.
Although the industry has implemented new protections such as Virtualized Based Security, Windows SMM Security Mitigation Table (WSMT), Kernel Code Signing, HVCI, ELAM, Secure Boot, Boot Guard, BIOS Guard, and many others, it is still unknown the professionals of the architecture of these protections, what are the components attacked by these contemporary malwares in the context of BIOS / UEFI and what are the tricks used by them. Precisely because of the lack of adequate understanding, most machines (BIOS / UEFI + operating system) remain vulnerable in the same way as a few years ago.
In addition, there are a growing number of malwares that have used kernel drivers to circumvent limitations and protections in order to gain full access to the operating system and data. Exactly for these reasons, it is necessary to understand the way that malwares act as device drivers and what are the mechanisms used by these threats to infect an operating system.
The purpose of this presentation is to show clearly and without too much details that often hinders understanding, how these threats act, which components are attacked, what are the techniques used by these advanced malware to subvert the system and how existing protections work .
This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.
This document provides an overview of memory forensics and analysis using the Volatility framework. It discusses rootkits, the importance of memory forensics, acquisition tools like Volatility, and commands for analyzing memory dumps using Volatility plugins. It also references a video demonstration of analyzing the TDSS rootkit with Volatility.
Confraria Security & IT - Lisbon Set 29, 2011ricardomcm
This document discusses Linux rootkits that hide without patching system calls. It explains how earlier rootkits patched system call tables but this is no longer possible in Linux 2.6. Instead, a rootkit called "Fuckit" is presented that hides itself, processes, files and directories by hooking the Virtual Filesystem (/proc and /) through struct file_operations. It demonstrates hiding a process by filtering results in the readdir calls and discusses limitations of this approach compared to hypervisor rootkits.
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
2. Scope of this Talk
In the next few slides the audience learns
how to hunt for rootkits with Windbg g
To get a good overview of the different ways
how rootkits hide itself from being
recognized several techniques from rootkits
like Runtime2, Rustock.B, Alipop, Stuxnet as
well as TDL3 and TDL4 are introduced
Of course the techniques used to detect a
special rootkit are not limited to the shown
cases. ;-)
Prerequisites are a g
q good understanding g
about Windows internals and basic Windbg
skills 2
3. Finding SSDT hooks
The SSDT is a data array in kernel memory,
that stores pointers to the native API
p
functions of Windows, e.g. NtCreateFile
These functions are handled in NTOSKRNL
Older rootkits used to hook some distinctive
functions to hide its files or registry entries
when queried f
h i d from usermode d
Almost every run-of-the-mill antirootkit tool
is able to detect such hooks today
3
5. Finding Shadow SSDT hooks
The Shadow SSDT is another array and stores
p
pointers to functions in the Win32k.sys
y
To view its entries we first have to switch to
a GUI process context and reload the
symbols for the specific module
!process 0 0 winlogon.exe
PROCESS 81ebf6f8 SessionId: .....
.process /p 81ebf6f8
.reload
reload
5
9. Rustock.B Rootkit – SYSENTER_EIP hook
The SYSENTER_EIP (MSR 0x176) usually points to
KiFastCallEntry to serve requests from the usermode
to access native functions in the SSDT
This pointer gets hooked by the Rustock.B rootkit
If Sysenter gets called Rustock checks in its own SDT
table if a function is hooked or not. Non hooked
native functions have a null pointer. Hooked
functions have a pointer to its own handler
handler.
To avoid easy hook detections the Sysenter_EIP
address points to the same module (NTOSKRNL.EXE)
as KiF tC llE t
KiFastCallEntry.
It overwrites a textstring „FATAL_UNHANDLED_HARD_ERROR“
with a 5 bytes jump to its real rootkit code.
y j p
9
11. Rustock.B Rootkit – SYSENTER_EIP hook
Another Laboskopia Windbg command shows us the
hook automatically
11
12. Rustock.B Rootkit – Finding hidden registry entries
To find the hidden registry entries Rustock uses to
survive a reboot, we walk the windows hive with the
„!reg“ command and its parameters
!reg“
A hive is a logical group of keys, subkeys, and values
in the registry that has a set of supporting files +
g g
backup copies
Hives are stored as files on disk
Next
Ne t to standard hives every user has his o n hi es
standa d hi es e e se own hives
file
12
13. Rustock.B Rootkit – Finding hidden registry entries
Table of standard hives and their supporting files
Registry hive Supporting files
HKEY_CURRENT_CONFIG
_ _ System, System.alt, System.log, System.sav
y , y , y g, y
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINESAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINESecurity Security, Security.log, Security.sav
HKEY_LOCAL_MACHINESoftware Software, Software.log, Software.sav
HKEY_LOCAL_MACHINESystem System, System.alt, System.log, System.sav
HKEY_USERS.DEFAULT Default, Default.log, Default.sav
13
17. Rustock.B Rootkit – pIofCallDriver Hook
Hooks at pIofCallDriver are often used to filter
special IRP requests to drivers
Rustock filters any attempt to directly communicate
with NTFS.SYS or FASTFAT.SYS. These files are
hidden, can‘t be copied, nor overwritten or renamed
17
18. Rustock.B Rootkit – IDT hooks
The Interrupt Descriptor Table (IDT) is a structure
which is used when dispatching interrupts
Interrupts can interrupt an execution of a program to
to handle an event
Interrupts could be a result of a hardware signal or
software based using the INT instruction
The IDT descriptor table can handle 256 entries
The descriptor to the table can be written with the
instruction LIDT and read with SIDT
Rustock hooks INT 2Eh, which is usually pointing to
KiSystemService, a Zw* functions dispatcher and
handler for usermode INT 2Eh calls on old hardware
not supporting fastcalls via the SYSENTER command
18
19. Rustock.B Rootkit – SYSENTER_EIP hook
Rustock hooks INT 2Eh to communicate between
usermode and kernelmode components
The „IDT“ command shows us the pointer to the
handler. KiSystemService is ok, otherwise it‘s hooked
19
20. Alipop Rootkit – GDT Callgate
A callgate is a mechanism in Intel x86 arch to change
privilege level of the CPU
The Alipop rootkit installs such a callgate to execute
code with the highest privilege (Ring 0) from
usermode (Ring 3) without the need to have a driver,
g
e.g. by calling DeviceIOControl
Callgate usage works by executing “call far ptr <addr>”
from usermode code
Installation of the callgate is done by the bootkit part
of Alipop
Other malware seen in the wild used
DevicePhysicalMemory to install a callgate in the
GDT (works only on older windows versions)
( y )
20
23. TDL3 Rootkit – ATAPI IRP hooks
The TDL3 rootkit usually infects the ATAPI driver
with a small loader for the real rootkit code in the PE
resource area of atapi.sys and changes the
entrypoint to its loader code
The real rootkit part is being stored encrypted on
disk sectors
The loader uses low level disk operations to read the
sectors, decrypts the mini TDL file system and starts
the real rootkit code
To hide and protect its sectors TDL3 uses IRP
hooking in ATAPI.SYS
23
26. TDL3 Rootkit – Shared Memory structure (Kernel-/User mode)
To share information with its usermode components
TDL3 uses the structure KUSER_SHARED_DATA
This structure is accessable from kernel at address
0xFFDF0000 and is mapped to userspace at
0x7FFE0000
Kernel mode has read/write access to this structure,
usermode has only read access
At KUSER_SHARED_DATA+0308h (SystemCallPad)
TDL3 stores a pointer t an own structure
t i t to t t
This structure stores a bunch of things like
kernelbase, original ATAPI IRPs, TDL3 FS start, path
, g , ,p
to its config file …
26
30. TDL3 Rootkit – Traces in the system worker threads
Drivers requiring delayed processing usually use a
work item, using IoQueueWorkItem with a pointer to
its callback routine
When a system worker thread processes the queued
item it gets removed and the callback gets invoked
g g
System worker threads run in the system process
context (PID 4)
TDL3 rootkit is using work items as well
ootkit sing o k ell
Whenever work items have been processed or other
system threads have been created this leaves traces
y
on the callstack
As TDL3 does not belong to any known module, the
process thread view informs us about this problem
30
32. TDL4 Rootkit – Finding TDL4 with its invalid device object
32
33. TDL4 Rootkit – ATAPI DriverStartIO hook
TDL4 rootkit hooks the ATAPI driver as well, but in a
lower level way than its precedessor
As more and more tools were easily able to dump its
files even from usermode via
IOCTL_SCSI_PASS_THROUGH_DIRECT calls directly
to the port device, TDL4 changed the hook method to
DriverStartIO
For standard windows miniport drivers like atapi sys
atapi.sys,
any SCSI request dispatching is always reduced to
DriverStartIO
This
Thi makes it a l t h d
k lot harder t d
to dump th TDL4 fil
the files
33
35. TDL4 Rootkit – Finding the Kernel Callback with a Windbg script
Rootkits often use kernelcallbacks to get notified
when files are loaded, processes or threads are
created as well as Registry events occur
occur.
TDL4 installs a kernelcallback to inject its usermode
payload in distinctive windows processes
35
38. TDL4 Rootkit – Finding inline hooks in user mode payload
38
39. Stuxnet Rootkit – IoFsRegistrationChange
Stuxnet mrxnet.sys driver adds a new device object
and attaches to the device chain with the objecttype
FileSystem (default fastfat ntfs cdfs)
fastfat, ntfs,
This makes it possible to control and intercept IRP
requests
A filesystem registration callback makes it possible to
attach the device chain of newly created filesystems
39