Professional.Rootkits.Subverting.the.Windows.Kernel [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional.Rootkits.Subverting.the.Windows.Kernel [Electronic resources] - نسخه متنی

Greg. Hoglund

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Rootkits: Subverting the Windows Kernel

Table of Contents

Copyright

Praise for Rootkits

Preface

Historical Background

Target Audience

Prerequisites

Scope

Acknowledgments

About the Authors

About the Cover

Chapter 1. Leave No Trace

Understanding Attackers Motives

What Is a Rootkit?

Why Do Rootkits Exist?

How Long Have Rootkits Been Around?

How Do Rootkits Work?

What a Rootkit Is Not

Rootkits and Software Exploits

Offensive Rootkit Technologies

Conclusion

Chapter 2. Subverting the Kernel

Important Kernel Components

Rootkit Design

Introducing Code into the Kernel

Building the Windows Device Driver

Loading and Unloading the Driver

Logging the Debug Statements

Fusion Rootkits: Bridging User and Kernel Modes

Loading the Rootkit

Decompressing the .sys File from a Resource

Surviving Reboot

Conclusion

Chapter 3. The Hardware Connection

Ring Zero

Tables, Tables, and More Tables

Memory Pages

The Memory Descriptor Tables

The Interrupt Descriptor Table

The System Service Dispatch Table

The Control Registers

Multiprocessor Systems

Conclusion

Chapter 4. The Age-Old Art of Hooking

Userland Hooks

Kernel Hooks

A Hybrid Hooking Approach

Conclusion

Chapter 5. Runtime Patching

Detour Patching

Jump Templates

Variations on the Method

Conclusion

Chapter 6. Layered Drivers

A Keyboard Sniffer

The KLOG Rootkit: A Walk-through

File Filter Drivers

Conclusion

Chapter 7. Direct Kernel Object Manipulation

DKOM Benefits and Drawbacks

Determining the Version of the Operating System

Communicating with the Device Driver from Userland

Hiding with DKOM

Token Privilege and Group Elevation with DKOM

Conclusion

Chapter 8. Hardware Manipulation

Why Hardware?

Modifying the Firmware

Accessing the Hardware

Example: Accessing the Keyboard Controller

How Low Can You Go? Microcode Update

Conclusion

Chapter 9. Covert Channels

Remote Command, Control, and Exfiltration of Data

Disguised TCP/IP Protocols

Kernel TCP/IP Support for Your Rootkit Using TDI

Raw Network Manipulation

Kernel TCP/IP Support for Your Rootkit Using NDIS

Host Emulation

Conclusion

Chapter 10. Rootkit Detection

Detecting Presence

Detecting Behavior

Conclusion

Index

index_SYMBOL

index_A

index_B

index_C

index_D

index_E

index_F

index_G

index_H

index_I

index_J

index_K

index_L

index_M

index_N

index_O

index_P

index_R

index_S

index_T

index_U

index_V

index_W

index_Z
توضیحات
افزودن یادداشت جدید







Index

[SYMBOL]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[R]
[S]
[T]
[U]
[V]
[W]
[Z]

I/O bus

I/O Control Codes (IOCTLs) 2nd 3rd

I/O Controller Hub (ICH) chips

I/O Request Packets.
[See IRPs (I/O Request Packets)]

IAT (Import Address Table)

finding hooks

hooking 2nd

in rootkit detection

ICH (I/O Controller Hub) chips

ICMP packets

IdentifySSDTHooks function

Idle process

IDS software, bypassing

IDTENTRY structure

IDTINFO structure

IDTRs (interrupt descriptor table registers)

IDTs (Interrupt Descriptor Tables)

hooking

in rootkit detection

working with

IMAGE_DIRECTORY_ENTRY_IMPORT structure

IMAGE_IMPORT_BY_NAME structure

IMAGE_IMPORT_DESCRIPTOR structure 2nd

IMAGE_INFO structure

Import Address Table (IAT)

finding hooks

hooking 2nd

in rootkit detection

in instruction 2nd

in_addr structure

Include files

INCLUDES variable

INETADDR macro

Infected files for reboot survival

InitThreadKeyLogger function

Injecting DLLs into processes

Inline functions

finding hooks

hooking

InstallTCPDriverHook function

InstDrv tool

Instructions, alignment

INT 2E instruction

Integrity Protection Driver (IPD) 2nd

Intel processors, microcode updates

Interfaces, binding to

Interlocked functions

InterlockedExchange function

Interrupt descriptor table registers (IDTRs)

Interrupt Descriptor Tables (IDTs)

hooking

in rootkit detection

working with

Interrupt flags

Interrupt gates

Interrupt service routines (ISRs) 2nd

Interrupt tables

for CPUs

with jump templates

Interrupts for keystrokes

IO_STACK_LOCATION

IoAttachDevice function

IoCallDriver function 2nd 3rd

IoCompletionRoutine function 2nd

IoCopyCurrentIrpStack LocationToNext function

IoCreateDevice function

IoCreateSymbolicLink function

IOCTL_DRV_INIT IOCTL

IOCTL_DRV_VER IOCTL

IOCTLs (I/O Control Codes) 2nd 3rd

IoDetachDevice function

IoGetCurrentIrpStackLocation function

IoGetCurrentProcess function

IoGetDeviceObjectPointer function

IoGetNextIrpStackLocation function

IoSetCompletionRoutine function 2nd

IoSkipCurrentIrpStack Location function

IoSkipCurrentStackLocation function

IPD (Integrity Protection Driver) 2nd

IRP_ values

IRP_MJ_DEVICE_CONTROL

IRPs (I/O Request Packets)

and stack locations

completion routines for

driver tables for

finding hooks

for keyboards

hooking

in rootkit detection

working with

ISRs
[See Interrupt Service Routines]


/ 111