Rootkits in Windows XP  What they are and how they work.

Slides:

Advertisements

Similar presentations

More on File Management

Advertisements

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

VICE – Catch the hookers! (Plus new rootkit techniques)

Operating System Security : David Phillips A Study of Windows Rootkits.

How an attacker can maintain control over their victim’s system without being discovered.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

File Management Systems

Windows Security and Rootkits Mike Willard January 2007.

Introduction to Kernel

6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.

1 File Management in Representative Operating Systems.

OPERATING SYSTEMS Introduction

Chapter 12 File Management Systems

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Operating System Organization

7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.

* SOFTWARE * Computer software, or just software, is a collection of computer programs and related data that provides the instructions. It can not be touched.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.

1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Windows XP. History Windows XP is based on the NT kernel developed in 1988 Windows XP is based on the NT kernel developed in 1988 XP was originally sold.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.

Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.

Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,

Hidden Processes: The Implication for Intrusion Detection

RootKit By Parrag Mehta OUTLINE What is a RootKit ? Installation Types How do RootKits work ? Detection Removal Prevention Conclusion References.

5 The Shell, the IOCS, and the File System. © 2005 Pearson Addison-Wesley. All rights reserved Figure 5.1 The components of a modern operating system.

Computer Software Types Three layers of software Operation.

Operating Systems Security

Chapter 10: File-System Interface Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 10: File-System Interface File Concept.

Lecture 18 Windows – NT File System (NTFS)

Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.

UNIX & Windows NT Name: Jing Bai ID: Date:8/28/00.

Full and Para Virtualization

2 Processor(s)Main MemoryDevices Process, Thread & Resource Manager Memory Manager Device Manager File Manager.

Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

File Systems - Part I CS Introduction to Operating Systems.

Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 2.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Windows Security Features protect Memory Disk Network.

Overview of Windows Driver Development Reference: us/gstart/hh/gstart/gs_intro_031j.asp.

System Programming Basics Cha#2 H.M.Bilal. Operating Systems An operating system is the software on a computer that manages the way different programs.

Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

W4118 Operating Systems Instructor: Junfeng Yang.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Introduction to Kernel

Operating System.

Chapter 12: File System Implementation

Operating Systems: A Modern Perspective, Chapter 6

Hidden Processes: The Implication for Intrusion Detection

File Structure 2018, Spring Pusan National University Joon-Seok Kim

Analysis of Mixed-mode Malware

Virtualization Layer Virtual Hardware Virtual Networking

Chapter 2: The Linux System Part 2

File System B. Ramamurthy B.Ramamurthy 11/27/2018.

CGS 3763 Operating Systems Concepts Spring 2013

Lecture Topics: 11/1 General Operating System Concepts Processes

Rootkits Jonathan Hobbs.

Hiding Malware Rootkits

Operating Systems Lecture 3.

Implementing Processes, Threads, and Resources

Mr. M. D. Jamadar Assistant Professor

Introduction to Operating Systems

Presentation transcript:

Rootkits in Windows XP  What they are and how they work

What is a rootkit?  Name comes from UNIX Administrator account “root” and “kit” refers to a collection of tools.  Used to hide and preserve the presence of a hacker on a system.

Classification of Rootkits  Persistent Rootkits-stored on a fixed disk and survive system reboots  Non-Persistent Rootkits-do not survive reboots

User Mode vs Kernel Mode rootkits  Processes in Windows XP run in one of two modes of execution:  User Mode: limited access to system  Most applications run in user mode  User Mode rootkits are limited to altering the behavior of a single process  Kernel Mode: full access to system  Device drivers and operating system code run here  Kernel Mode rootkits can alter the behavior of the entire system

How do rootkits work?  Rootkits hide and preserve the presence of a hacker on a system by:  Altering the flow of execution:  Hooking  Import Address Table Hooking  System Service Descriptor Table Hooking  Inline Function Hooking  Layered filter drivers  Altering kernel data used in system accounting  Direct Kernel Object Manipulation (DKOM)

Import Address Table (IAT) Hooking  User Mode rootkits  IAT is a table of pointers that point to memory locations of imported API functions  Rootkits change a pointer in the table to point to some rootkit function  Function is now “hooked”  Hook is limited to one process

System Service Descriptor Table (SSDT) Hooking  Kernel Mode rootkits  The SSDT is a single kernel table that stores pointers to system API functions  Hooks affect entire system instead of a single process like IAT hooks

Inline Function Hooking  User mode rootkits  Directly alters imported functions in a process’s memory space  Overwrites preamble with a JMP instruction to some rootkit code

Layered Filter Drivers  Kernel mode rootkits  Legitimately used by Firewalls and Anti- Virus Scanners  Layered filter driver rootkits can filter out certain files from a directory listing  Accomplished at much lower level of the OS than hooking

Direct Kernel Object Manipulation (DKOM)  Kernel mode rootkits  Direct manipulation of \Device\PhysicalMemory Object  DKOM rootkits are able to hide things from the entire system  Most powerful of the techniques

DKOM Example: Hiding a Process  EPROCESS is a linked list that maintains a list of active processes  A removed node is called a Ghost Process

The End