Enviar pesquisa
Carregar
Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
•
Transferir como PPTX, PDF
•
0 gostou
•
1,058 visualizações
Alex Matrosov
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 60
Baixar agora
Recomendados
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
GangSeok Lee
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
Code Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
Genode Compositions
Genode Compositions
Vasily Sartakov
Recomendados
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
GangSeok Lee
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
Code Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
Genode Compositions
Genode Compositions
Vasily Sartakov
Genode Components
Genode Components
Vasily Sartakov
Genode Architecture
Genode Architecture
Vasily Sartakov
Hta w22
Hta w22
SelectedPresentations
Sysdig Open Source Intro
Sysdig Open Source Intro
Michael Ducy
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
Native code in Android applications
Native code in Android applications
Dmitry Matyukhin
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
Paris Android User Group
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
Mem forensic
Mem forensic
Chong-Kuan Chen
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
Tetsuyuki Kobayashi
Android ndk
Android ndk
Khiem-Kim Ho Xuan
Android JNI
Android JNI
Siva Ramakrishna kv
Malware analysis using volatility
Malware analysis using volatility
Yashashree Gund
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Xavier Hallade
Technical Report Vawtrak v2
Technical Report Vawtrak v2
Blueliv
Introduction to the Android NDK
Introduction to the Android NDK
BeMyApp
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
christ1an
Mach-O Internals
Mach-O Internals
Anthony Shoumikhin
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
Повседневный С++: алгоритмы и итераторы
Повседневный С++: алгоритмы и итераторы
corehard_by
Festi botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
Mais conteúdo relacionado
Mais procurados
Genode Components
Genode Components
Vasily Sartakov
Genode Architecture
Genode Architecture
Vasily Sartakov
Hta w22
Hta w22
SelectedPresentations
Sysdig Open Source Intro
Sysdig Open Source Intro
Michael Ducy
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
Native code in Android applications
Native code in Android applications
Dmitry Matyukhin
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
Paris Android User Group
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
Mem forensic
Mem forensic
Chong-Kuan Chen
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
Tetsuyuki Kobayashi
Android ndk
Android ndk
Khiem-Kim Ho Xuan
Android JNI
Android JNI
Siva Ramakrishna kv
Malware analysis using volatility
Malware analysis using volatility
Yashashree Gund
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Xavier Hallade
Technical Report Vawtrak v2
Technical Report Vawtrak v2
Blueliv
Introduction to the Android NDK
Introduction to the Android NDK
BeMyApp
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
christ1an
Mach-O Internals
Mach-O Internals
Anthony Shoumikhin
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
Mais procurados
(20)
Genode Components
Genode Components
Genode Architecture
Genode Architecture
Hta w22
Hta w22
Sysdig Open Source Intro
Sysdig Open Source Intro
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
Native code in Android applications
Native code in Android applications
Using the android ndk - DroidCon Paris 2014
Using the android ndk - DroidCon Paris 2014
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Mem forensic
Mem forensic
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
Android ndk
Android ndk
Android JNI
Android JNI
Malware analysis using volatility
Malware analysis using volatility
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Technical Report Vawtrak v2
Technical Report Vawtrak v2
Introduction to the Android NDK
Introduction to the Android NDK
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
Mach-O Internals
Mach-O Internals
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Destaque
Повседневный С++: алгоритмы и итераторы
Повседневный С++: алгоритмы и итераторы
corehard_by
Festi botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
42054960
42054960
andres castillo
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
Bootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Aleksey Lukatskiy
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
Destaque
(19)
Повседневный С++: алгоритмы и итераторы
Повседневный С++: алгоритмы и итераторы
Festi botnet analysis and investigation
Festi botnet analysis and investigation
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
42054960
42054960
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Bootkits: past, present & future
Bootkits: past, present & future
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
Semelhante a Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
Stability issues of user space
Stability issues of user space
晓东 杜
Reverse eningeering
Reverse eningeering
Kent Huang
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Tzung-Bi Shih
A New Framework for Detection
A New Framework for Detection
Sourcefire VRT
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
GangSeok Lee
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
BPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JSFestUA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
Windows内核技术介绍
Windows内核技术介绍
jeffz
Android Development Tools
Android Development Tools
Dominik Helleberg
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
Peter Griffin
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
Linux boot-time
Linux boot-time
Andrea Righi
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dmitry Vostokov
Dx diag
Dx diag
Mukilan Thirunavukkarasu
Semelhante a Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
(20)
Stability issues of user space
Stability issues of user space
Reverse eningeering
Reverse eningeering
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
A New Framework for Detection
A New Framework for Detection
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
BPF: Tracing and more
BPF: Tracing and more
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Windows内核技术介绍
Windows内核技术介绍
Android Development Tools
Android Development Tools
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linux boot-time
Linux boot-time
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
Dx diag
Dx diag
Último
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Último
(20)
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4
1.
Проведение криминалистической экспертизы
и анализа руткит-программ на примере Win32/Olmarik(TDL4) Александр Матросов Евгений Родионов
2.
3.
4.
Этапы установки на
x86/x64
5.
Буткити обход проверки
подписи
6.
Отладка буткита наэмуляторе
Bochs
7.
Хуки в режиме
ядра
8.
Отладка с
использованием WinDbg
9.
Файловая система TDL4
10.
11.
Evolution of
rootkits functionality x86 x64 Dropper Rootkit Rootkit Rootkit bypass HIPS and AV self-defense self-defense privilege escalation Surviving reboot surviving reboot bypass signature check install rootkit driver injecting payload bypass MS PatchGuard injecting payload Kernel mode User mode
12.
13.
It is difficult
to load unsigned kernel-mode driver
14.
Kernel-Mode Patch Protection
(Patch Guard):
15.
SSDT (System
Service Dispatch Table)
16.
IDT (Interrupt
Descriptor Table)
17.
GDT (
Global Descriptor Table)
18.
19.
Evolution of
TDL rootkits
20.
Installation x86/x64
21.
22.
Installation stages exploit
payload dropper rootkit
23.
Dropper layouts
24.
Dropped modules
25.
Installation x86
26.
Installation x64
27.
Bootkit and bypassing
driver signature check
28.
29.
Kernel-Mode Code
Signing Policy
30.
31.
Boot process of
Windows OS
32.
Code integrity check
33.
Boot Configuration Data
(BCD)
34.
BCD Example
35.
BCD Elements controlling
KMCSP (before KB2506014)
36.
37.
Switch off
kernel-mode code signing checks by altering BCD data:
38.
abuse WinPeMode
39.
disable signing
check
40.
41.
Abusing Win PE
mode: workflow
42.
43.
44.
Bypassing KMCSP: Result
Bootmgr fails to verify OS loader’s integrity MS10-015 kill TDL3
45.
Debugging bootkit with
Bochs
46.
Bochs support starting
from IDA 5.5
47.
DEMO
48.
Kernel-mode hooks
49.
Stealing Miniport Driver
Object Before Infection After Infection
50.
Stealing Miniport Device
Object
51.
52.
IOCTL_ATA_PASS_THROUGH_DIRECT
53.
IOCTL_ATA_PASS_THROUGH;
54.
IRP_MJ_INTERNAL_DEVICE_CONTROL
55.
To protect:
56.
Infected MBR;
57.
58.
WinDbg and kdcom.dll
WinDbg KDCOM.DLL NTOSKRNL KdDebuggerInitialize RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
59.
TDL4 and kdcom.dll
original call fake call
60.
TDL4 and kdcom.dll
original export table fake export table
61.
DEMO
62.
kd> !object evicearddisk0
Object: e1022d10 Type: (8a5e54f0) Directory ObjectHeader: e1022cf8 (old version) HandleCount: 1 PointerCount: 8 Directory Object: e10116f0 Name: Harddisk0 Hash Address Type Name ---- ------- ---- ---- 21 8a5c9ab8 Device DR0 24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1 33 e101abe8 SymbolicLink Partition0 8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2 34 e1011258 SymbolicLink Partition1 35 e101a078 SymbolicLink Partition2
63.
kd> !devobj evicearddisk0R0
Device object (8a5c9ab8) is for: DR0 riverisk DriverObject 8a5cd730 Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050 Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98 ExtensionFlags (0000000000) AttachedDevice (Upper) 8a5c9890 riverartMgr AttachedTo (Lower) 89fd902889fd9028: is not a device object
64.
kd> !devstack8a5c9ab8
!DevObj !DrvObj !DevExtObjectName 8a5c9890 riverartMgr 8a5c9948 > 8a5c9ab8 riverisk 8a5c9b70 DR0 Invalid type for DeviceObject 0x89fd9028
65.
kd> dt _DEVICE_OBJECT
0x89fd9028 ntdll!_DEVICE_OBJECT +0x000 Type : 0n0 +0x002 Size : 0xfb8 +0x004 ReferenceCount : 0n0 +0x008 DriverObject : 0x899574f0_DRIVER_OBJECT +0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT +0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x5050 +0x020 Characteristics : 0x100 +0x024 Vpb : (null) +0x028 DeviceExtension : 0x89fd90e0 Void +0x02c DeviceType : 7
66.
kd> !drvobj0x899574f0
Driver object (899574f0) is for: 899574f0: is not a driver object
67.
TDL hidden file
system
68.
69.
Encrypted contents
(stream cipher: RC4, XOR-ing)
70.
Implemented as
a hidden volume in the system
71.
72.
TDL4 Device Stack
73.
TDL4 File System
Layout
74.
TdlFsReader, how forensic
tool
75.
TdlFsReader, how forensic
tool
76.
TdlFsReader architecture TdlFileReader
TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
77.
TdlFsReader architecture TdlFsRecognizer
TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
78.
DEMO
79.
80.
Questions
81.
Thank you for
your attention ;) AleksandrMatrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius
82.
83.
Скачать crackmephd.esetnod32.ru
84.
Прислать ключи и
краткое описание процесса прохождения на email:phd@esetnod32.ru
85.
Получить призы:Amazon Kindle
DX Amazon Kindle 3 Wi-Fi ESET Smart Security (3 года)
Notas do Editor
Stores boot loader parametersWas introduced for the first time in Windows Vista as a replacement of boot.ini file to conform with UEFI specificationHas the same physical layout as registry hive
Baixar agora