Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > invades the examination > Content
Hot Articles
ForensicSIM Toolkit gets
Serv-U bounce attack and
To the Image File Execut
Based on CallStack count
To a some music website
How to use double WAN ro
pcshare official net exa
Security precious book m
Honey jar and honey net
The invasion examination
pcshare official net exa
Tomcat invasion examinat
Bypasses the CallStack f
Ten big invasion examina
The network invasion exa
Recommend Articles
Only opens 80 port's saf
Bypasses the web key wor
Bypasses the CallStack f
Security precious book m
Based on CallStack count
pcshare official net exa
SQL Server SA idle talk
Honey jar and honey net
The invasion examines th
Four next generation inv
An accidental invasion e
The invasion examines (I
How to use IDS to invade
The invasion examination
A winding safe examinati
New Articles
TEA guidelines for risk
Training for medical per
JSIC Security Forum 2001
SITO includes E-Learning
The rationale for choosi
Drink and drug driving c
BTEC is Tavcom Training
International trade issu
1 in 5 companies is unli
New compact PD-350 for F
sharp rise in prices of
Passfaces strong authent
T3i teams with Passfaces
Comodo Two Factor Authen
Comfortable two-factor a
Based on CallStack counter-Rootkit HOOK examination
  Add date: 07/10/2008   Publishing date: 07/10/2008   Hits: 326
Total 2 pages, Current page:1, Jump to page:
 
Anti-Rootkit present scans Hook the method mainly to have the following several kinds:
  1. resists inline - hook, IAT/EAT Hook

  On after the Anti-Rootkit use read floppy disks the system file and will carry on map the \ heavy localization, in the same memory's code will carry on the contrast the method to examine inline hook (or EAT/IAT HOOK, latter with), similar tool for example Rootkit Unhooker, gmer, Icesword and so on.

  In order to resist Anti-Rootkit inline the Hook scanning, Rootkit use some methods to carry on oneself HOOK the hideaway.

  For example the Shadow Walker method, HOOK Int the 0Eh missing pages interrupt hides in the memory by the HOOK code, perhaps for example some Chinese surfer, HOOK FSD IRP_MJ_READ, when reads to documents and so on ntfs.sys, revises the data, the wrong result will return, causes the Anti-rootkit tool to take for in the memory the code is correct. Many kinds of ways may let this traditional INLINE the HOOK examination method expiration.

  2.Object Hook

  Object Hook hides generally, more difficult to examine.

  Object hook which knew very well for everybody for example has revises in driver object MajorFunction the dispatch table, perhaps in hook KeyObject(KCB) some call back routine/GetCell Routine (zzzzevazzzz has emitted related code), also or is in hook Object in some other general chain's code indicator carries on (detail which the self-hideaway/protection function e.g. tombkeeper some articles mentioned)

  The present means are generally scan these OBJECT the structure, found corresponds the indicator, use methods and so on characteristic search, module scope contrast, examined them whether by HOOK. Similar tool for example rootkit unhooker, gmer (in rootkit unhooker examines object hook are many)

  But these tools can only examine their known object hook, once Rootkiter uses unknown object hook to carry on the hideaway, or is transforms the platform, the construction of data changes, is very difficult to examine object hook, traditional Object the hook detection mode is also very easy by rootkiter to forgive,

  Here proposes one new hook detection mode: Namely carries on the HOOK examination using CallStack

  Let us look at one kind of typical rootkit the HOOK way:

  For example hook \ \ FileSystem \ \ Ntfs IRP_MJ_DIRECTORY_CONTROL carries on the document hideaway, rootkit.com has the code which is related

  Their code usually is this

      NTSTATUS HookFsd (LPCWSTR DrvName)
  {
  //... Obtains ntfs driver object
  g_OldNtfsDriCtl = drvobj->MajorFunction[IRP_MJ_DIRECTORY_CONTROL];
  // preserves the primitive dispatch address
  drvobj->MajorFunction[IRP_MJ_DIRECTORY_CONTROL] = MyNtfsDriCtl;
  // uses own dispatch address to replace the primitive address
  //,
  }
  NTSTATUS MyNtfsDriCtl (PDEVICE_OBJECT devobj, PIRP pIrp)
  {
  NTSTATUS stat;
  // some initialization processing .....
  __asm
  {
  push pIrp
  push devobj

 
Other pages: : 1 * 2 * Next>>
Prev:Security precious book most famous five big invasion examination system Next:pcshare official net examination

Comment:

Category: Home > invades the examination
Home