阅读:1924回复:14
隐藏驱动和文件的一般方法
转自<www.rootkit.com>
Driver hidding based on the following methods: 1. removing module from PsLoadedModulesList (that bypasses some old rkdetectors) 2. removing object from ObjectDirectory (that bypassed GMER, IceSword and some others) 3. removing module from DriverObjects 4. removing module from DeviceObjects 5. memzero for POBJECT_HEADER (that finally bypasses DarkSpy) 6. fake thread start address (to be sure that antirootkit will not show "unknown thread") 7. using non usual wait function to bypass "Stealth Walker" detection method of our Rootkit Unhooker Antirootkit. //----------------------------------------------------------------------------------- File hidding based on the following methods: 1. We are using NTFS ADS (that's bypasses DarkSpy, IceSword automatically) 2. ADS attach to root directory of disk C: (that automatically bypass GMER, RootkitRevealer) 3. driver set up itself as File System Filter and filters some IRP's like IRP_MJ_READ, IRP_MJ_QUERY_INFORMATION etc. Thats bypasses all other antirootkit thats using RAW reading (BlackLight, Rootkit Unhooker etc). |
|
最新喜欢:HWFDVD
|
沙发#
发布于:2007-02-25 17:22
因此可以利用deviceObjects来删除antirootkit的deviceobject,从而达到隐藏自己的作用。
|
|
|
板凳#
发布于:2007-02-25 17:44
其实更简单的说就是不让AntiRootkit运行~
|
|
|
地板#
发布于:2007-02-25 18:02
这是EP_X0FF的那个unreal呢,那个简单哦,本版有相关帖子
|
|
|
地下室#
发布于:2007-02-25 19:10
呵呵
|
|
|
5楼#
发布于:2007-02-26 08:51
目前有办法可以检测所有内核执行代码,包括你直接分配一块内存,然后将代码拷贝过去,再将本身卸载,不过稳定性如何还是个问题,这年头大家都不得不BT点......
|
|
|
6楼#
发布于:2007-02-26 12:17
引用第5楼wowocock于2007-02-26 08:51发表的“”: 所以我固化了~ |
|
|
7楼#
发布于:2007-02-26 12:45
今天你固化了吗?
|
|
|
8楼#
发布于:2007-02-26 12:54
固化其实也是可以检查的~~,比如自带系统文件HASH数据——我们就带着~
|
|
|
9楼#
发布于:2007-02-26 13:09
引用第8楼killvxk于2007-02-26 12:54发表的“”: 所有系统文件数据及HASH全放在服务器上(来自MS系统安装盘),然后在LINUX下连服务器验证,所有不符合的一率咔察. |
|
|
10楼#
发布于:2007-02-26 17:41
引用第5楼wowocock于2007-02-26 08:51发表的“”: 和感染(固化)一样,也是害人之心。大家都在系统地址空间里面斗,不是你死就是我活,这样谁也占不到便宜。驱动开发网怎么不教化人往好里学,不是hook 系统的接口,就是感染正常的驱动文件,还美名其曰“固化”,要么就是改写或者覆盖对方的内存代码,或者破坏、卸载对方用来和上层应用通信的设备对象,成了黑人招数大全了。 |
|
11楼#
发布于:2007-02-26 17:51
引用第10楼guaiguaiguan于2007-02-26 17:41发表的“”: 不黑人,和OS无关,只在CPU层面进行处理. |
|
|
12楼#
发布于:2007-02-26 20:03
引用第11楼wowocock于2007-02-26 17:51发表的“”: 虚拟机,厉害,类似于Vmware和VirualPC |
|
13楼#
发布于:2007-02-26 21:50
wowo也开始用虚拟了?
|
|
|
14楼#
发布于:2007-04-30 18:55
[fly]双刃刀,看你爱怎么使唤了[/fly] |
|
|