This document discusses malware analysis and rootkits. It covers various types of malware threats, tools used to analyze malware, and methodologies for analyzing malware and rootkit internals. Specific rootkits discussed include boot sector viruses, rootkit concealment techniques like SSDT and IDT hooking, and ways to fight rootkits like using rootkit detection tools.
4. Sysinternal suit
Procmon Process explorer.
Regmon ,Regshot
Pe view
Systracer
5. 1982 Siberian pipeline sabotage
2001 Magic Lantern
2005 Sony BMG copy protection rootkit
scandal digital rights management software
called Extended Copy Protection.
Mark Russinovich
2004–2005 Greek wiretapping case
Rootkit.Duqu.A
6. is just a technology
Subverting standard operating system.
the design goals of a rootkit are to provide
three services:
1>remote access.
2> monitoring.
3>concealment.
7. Real mode :-ring 3
-MS-DOS kernel .
- Interrupt Service Routines (ISRs). & Interrupt
vector table(IVT) .
protected mode:- ring 0
-system os loads in protected mode called ring
0 or os kernel mode
-unprivileged area called ring 3 or user mode.
11. NTDLL
NTDLL Deliver
NtqueryInfo Modified
Ntoskernel. result
Taskmgr exe
AppInitHook
result
Taskmgr After inject
12. 0x2000
0x2100 `
0x6500 NtQuerySystemInformation
NTDLL
0x6000
0x6500 NtQuerySystemInformation Call to ntdll
Ret 0x2100
AppInitHook
13. AppInit_DLLs -
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NT CurrentVersionWindows
Other ways
SetWindowsHook.
WriteProcessMemory+CreateRemoteThread
Change in import table.
16. HookedNtQuerySystemInformation(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength )
Call to original NtQuerySystemInformation
PMY_SYSTEM_PROCESS_INFORMATION pNext =
(PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;
if (!wcsncmp(pNext->ImageName.Buffer, L"calc.exe", pNext-
>ImageName.Length))
Return result
17.
18.
19.
20. Get Address of SSDT
Get offset address of functions from SSDT
Save Address
Write Address of our function into SSDT
If query call is for our file deny access
If not call original function from saved
address.