主引导区的恶意程序(Trojan.Mebroot)

首先来认识下 什么是主引导区

主引导扇区位于整个硬盘的0磁道0柱面1扇区,包括硬盘主引导记录MBR(Main Boot Record)和分区表DPT(Disk Partition Table)。其中主引导记录的作用就是检查分区表是否正确以及确定哪个分区为引导分区,并在程序结束时把该分区的启动程序(也就是操作系统引导扇区)调入内存加以执行。

只要控制了该区域,那程序就能控制操作系统!

修改主引导区进行加载、感染的在上世纪80- 90年代较为流行,当年的反病毒软件很多都是磁盘介质的,而其中一个必不可少的功能,就是能写保护软盘然后用它引导启动电脑,在不带毒的情况下清除此类引导型的病毒。应该说早期的病毒技术含量还是比较高的,到了后期越来越多工具的出现,让只要会上网的人都能产生成百上千的各种恶意程序、病毒变种。值得注意的是利用修改覆盖主引导区进行加载的Rootkit后门现世了。

在2005和2007年有研究人员推出过两个修改主引导区的实验型Rootkit,而07年的这个实验型Rootkit甚至能突破安全性较高的全补丁Vista系统。

由于WINDOWS系统设计上的问题,普通权限的用户帐号可以随意读写硬盘,甚至MBR这些重要的位置而不受到任何限制。因此MBR类Rootkit对系统的危害是十分大的。

有些类型的主板BIOS自带一个反病毒功能,就是防止读写主引导区的,随着这类真正具有危害的MBR Rootkit的出现,也许现在大家应该在BIOS里打开这种保护选项了。 Continue reading “主引导区的恶意程序(Trojan.Mebroot)”

Rootkit FAQ(how to…)

常见问题解答 : 如何入门rootkit?

来源:rootkit.com 作者:Clandestiny 翻译:fqh

“Help!我是一名新手!我需要一款rootkit入侵朋友的机器…我想编写自己的rootkit…我想开始开发代码… 该从哪里入手?”

此类问题在rootkit.com上不断地出现,并且重复回答一些人问的相同问题浪费了大量时间,我想到我们应当编辑一个短小的文档来对它们进行一般性的叙述。下面的论述远非完整的,社区中有经验的人可以提建议来对它进行拓展。

你 想知道从哪里入门?好的,首先,如果你来到这里是为了寻找入侵你朋友机器的既成方法,你可来错了地方!Rootkit.com主要是一个知识性的网站,它 目的是提供一些有关rootkit开发的资料和相关编程的文章。另一方面,如果你是一名想学习如何编写自己的rootkit的新手,你需要一些如何入门的 建议,请接着阅读…不幸的是,rootkit开发和软件开发需要相当多你必须掌握的前提知识:

1. 首先,你得学习一种语言。C / C++最好的选择。不像其他语言,C具有内嵌汇编语言的能力。虽然大多数程序员极少使用到汇编语言,但是rootkit的开发有时需要汇编语言的灵活性, 所以x86汇编应当成为你的辅助编程语言。Randall Hyde的《Art Of Assembly》是汇编编程最好的参考资料之一。该书有印刷和电子书两种可获取的版本。
《Art of Assembly》 (下载版) 的下载网址是http://webster.cs.ucr.edu/AoA/DOS/

2. 你需要学习一些操作系统的理论。虽然大学的设计操作系统理论课程不是必需的,但阅读大学计算机学科教材的若干章节是有益的。特别是进程﹑线程﹑内存管理等知识,你得了解。
这方面很好的书籍有两本:
《Operating System Concepts》 ,Silberschatz, Galvin, 和 Gagne著
《Operating Systems》Deitel & Deitel著

3. 你得应用理论知识,理解真实世界中的操作系统比如windows实际上是如何工作的。虽然Windows不公开源代码,但是有很多牛人热衷于对系统内核工 作原理进行逆向分析,并公开了他们的发现。弄一本此类的书吧,比如Sven Schreiber写的《Undocumented Windows 2000 Secrets》 或者Prasad Dabak, Milind Borate,和 Sandeep Phadke写《Undocumented Windows NT》。

4. 如果你想着手开发内核rootkit,你还得学习如何编写内核模式驱动程序(KMD)。很不幸,互联网上关于内核编程的教程,适合初学者的很少。不过,Four-4写出了几篇很好的win32汇编版的教程,它们可在http://www.assembly-journal.com/sitemap.php获 取。除此之外,这方面的书籍还有一些:包括Art Baker 和Jerry Lozano蓍的《The Windows 2000 Device Driver Book》以及Walter Oney蓍的《Programming The Microsoft Windows Driver Model》。

5. 学习逆向代码分析的基础知识,也就是说对于没有源代码的二进制文件也能(通过逆向分析)了解到(代码功能等)有关信息。练习逆向分析软件的保护机制(序列 号,时间检验,脱壳,演示软件的功能限制等等)是发展这个技能的有趣方式。有很多程序员编写了训练用的小型程序。这些程序称之“crackmes”和” “reversemes”,我们可用它们来进行练习。在http://www.crackmes.dehttp://www.reversemes.de上收集了大量这样的小程序。http://www.woodmann.com上有大量高手写的关于逆向工程的资源。http://bib.universitas-virtualis.org/上也有若干优秀教程和文章。逆向分析同样需要一些特别的工具,包括反汇编器和调试器。IDA Pro是首选的反汇编器,SoftICE (内核调试器)和OllyDebug是可供使用的调试器。其他各式各样的此类工具可从http://protools.cjb.net获取

6. 最后,本站讨论了一些入侵工具和rootkit,如果你需要理解它们的资料,我推荐Greg Hoglund的《Exploiting Software》(本站就有)和《Shell Coder’s Handbook》。两者都会提供给你很好的入门知识。《Exploiting Software》有一章节介绍了基本的rootkit技术。一般,基于它们的数据拦截方法,Rootkit可以分为两种:要么是挂勾,要么是直接内核对 象操作(DKOM)。为了理解挂勾技术,以下链接可能对你有帮助。

API 检测技术(API Spying Techniques)
http://www.internals.com/articles/apispy/apispy.htm
挂勾高级函数(Advanced Function Hooking)
http://www.phrack.org/show.php?p=58&a=8
挂勾Windows NT服务表(Windows NT Service Table Hooking)
http://www.wiretapped.net/~fyre/sst.html
挂勾Windows NT系统服务(Hooking Windows NT System Services)
http://www.windowsitlibrary.com/Content/356/06/2.html
挂勾Windows NT系统调用(Windows NT System-Call Hooking)
http://www.ddj.com/articles/1997/9701/
为了理解DKOM,你可以阅读fuzen_op 写的FU rookit的源代码,它可在本站中获取

linkinfo.dll

linkinfo.dll使用360显示为Trojan-Downloader/Win32.Agent.erl木马,其实不仅仅是个下在者木马,这个 dll应该还使用rootkit隐藏技术,通过普通的隐藏文件查看根本看不到。这里就推荐使用超级巡警来查看rootkit文件程序。
可以用超级巡警强行卸载explorer的linkinfo.dll组件加载,然后删除,建议进行全盘扫描杀毒,因为所有的exe文件都有可能被感染病毒。
也可以在安全模式或者在其他系统下(双系统的用户)删除这个文件,
奇虎360安全卫士木马查杀历史报告

木马名称:Trojan-Downloader/Win32.Agent.erl
路径:C:\WINDOWS\linkinfo.dll
查杀时间 :2007-12-31 16:53
木马名称:Trojan-Downloader/Win32.Agent.erl
路径:C:\WINDOWS\linkinfo.dll
查杀时间 :2007-12-31 16:24
木马名称:Trojan-Downloader/Win32.Agent.erl
路径:C:\WINDOWS\linkinfo.dll
可以看出

由于这个是下载者,建议一经发现就立即断开网络以免时间拖延感染更多的病毒木马程序。建议在安全模式进行全盘扫描查杀。

基于栈指纹检测缓冲区溢出的一点思路

一. 现有的检测栈溢出的模式
二. 现有检测体系存在的不足
三. 针对引擎要做的改进
四. 关于未来

引言
当前主动防御等的概念逐渐进入人们视野,国外主流的杀毒软件都有栈溢出的检测模块,尽管相对传统的木马和病毒来说,缓冲区溢出仍占攻击的很小一部分,但是基于传统的“木桶理论”,安全是一个整体,威胁还是无处不在。

现有的栈溢出检测模式 Continue reading “基于栈指纹检测缓冲区溢出的一点思路”

伪造返回地址绕过CallStack检测以及检测伪造返回地址的实践笔记

伪造返回地址绕过CallStack检测以及检测伪造返回地址的实践笔记

Author:[CISRG]KiSSinGGer
E-mail:kissingger@gmail.com
MSN:kyller_clemens@hotmail.com

题目有点搞……Anti-CallStack Check and Anti-Anti-CallStack Check…(;- -)

发现最近MJ0011的“基于CallStack的Anti-Rootkit HOOK检测思路”和gyzy的“基于栈指纹检测缓冲区溢出的一点思路”两篇文章有异曲同工之妙。
两者都通过检测CallStack中的返回地址来做文章。
最近在初步学习一些AntiRootkit技术,这两个不得不吸引我的眼球。
Continue reading “伪造返回地址绕过CallStack检测以及检测伪造返回地址的实践笔记”

Rootkit相关链接

categories:Decompilers
Garage – Homebrew haxoring of a different type
Network Drivers – Contains links for both NDIS and TDI drivers.
Remote Control Packages

links:

Anti-trojan.org – The worlds largest trojan information website. Information on over 1000 different trojans. (3096 hits)
antiserver rootkit collection – a small archive that includes backdoored services (2540 hits)
Author for Google hacking/penetration testers – Very useful website. (556 hits)
Bochs – An x86 emaulator w/ source, like VMWare (844 hits)
brilliant trick to program ROM chips – (1007 hits)
Cain and Abel + other tools – Cain & Abel is a password recovery tool for Microsoft Operating Systems. (380 hits)
chkrootkit – a rootkit detector (1881 hits)
DJ CMOS PhNeutral – Keith has informed us that these are the worst mixes of his entire life. This is mostly because of FX’s amazing hospitallity and allowing Keith to “enjoy” the bar free of charge. Keith has requested that we remove the files but don’t worry, we told him to fuck himself. (887 hits)
DLL World – search engine and a ton of DLL’s and OCX’x (1296 hits)
Edge Engine – The CMS Engine used for this website (415 hits)
EXEtools – (1974 hits)
exploit archive – yet another, w/ search (2052 hits)
Finding Hidden Processes and Terminate It – “Finding Hidden Processes” is a tool For Finding Hidden Processes in our Systems. (647 hits)
Free Computer Books, Tutorials & Lecture Notes – A whole archive of about everyhting and anyhting computer related. Lots of good referance material. (1111 hits)
Generating small executables with Visual C++ – Nice tutorial on how to create small exe’s with visual c++. (1273 hits)
Getting WinDBG and VMWare to play together – (710 hits)
Good info on filesystem drivers – (916 hits)
google hack: browsable directories – this search string returns sites w/ browsable root dir’s (2734 hits)
google hack: finds user auth files – find files called “auth_user_file.txt” – you can crack hashes (1747 hits)
GoogleHack-Getting ASP Pages For jection Check – This hack throws you with a search how to get direct ASP pages index for injection check (277 hits)
Hacking DNA at home – Hacking code getting old? Try DNA instead. This resource will help you build super-virulent E. Coli (be careful!) and grow glow-in-the-dark house plants. (700 hits)
http://www.k-otik.com/exploits/ – exploit archive (1480 hits)
Interrupt Hooking – (1164 hits)
Just check it out – apihooks and others (957 hits)
Kernel Security Therapy Anti-Trolls (KSTAT) – (self describes:) Kernel Security Therapy Anti-Trolls (KSTAT) is a very powerful security tool to detect many kinds of rogue kernel rootkits. It analyzes the kernel through /dev/kmem and detects modified syscalls as well as various other problems. This version runs on 2.4.x only, and can assist in finding and removing trojan LKMs. It supports network socket dumps, sys_call fingerprinting, stealth module scanning, and more. (1136 hits)
Matt Pietrek’s homepage – (1746 hits)
Microlib – machine simulator (727 hits)
neworder security references – good i guess for the newbie, helped me out with some questions and thought maybe it would help out. great community aspect thought, has alot of references to different sites that they host, like code.box.sk and junk like that. not just for a weird wanna be hacker. (386 hits)
Nice article on API apying technique – Yariv Kaplan’s article, a good one (1145 hits)
Nmap website – One of the best network mapping and port scanning tools that is freely available for many operating systems (342 hits)
Open Reverse Code Engineering – Open Reverse Code Engineering community was created to foster a shared learning environment among researchers interested in the field of reverse engineering. Heavily modeled on Rootkit.com, OpenRCE aims to serve as a centralized resource for reverse engineers (currently heavily win32/security/malcode biased) by hosting files, blogs, forums articles and more. (1081 hits)
Packetstorm Directory Tree – (991 hits)
PearPC – PowerPC machine emulator (603 hits)
QEMU – Another x86 machine emulator (543 hits)
RCE Messageboards – A set of message boards dedicated to reverse code engineering issues ranging from newbie to advanced. There is also a RCE tool discussion board and a board dedicated to cryptographics. (546 hits)
ReactOS – ReactOS is an OS based on windows nt, the source code contains allooooot of info about nt kernel, how windows boot, …. (1050 hits)
rootkit archive – (2363 hits)
Rootkit’s Unloader – t’s tool for unmapping the modules and loaded Rootkit’s DLLS. It also can terminate the Threads and processes. For Unloading the Rootkits first you must know your target’s DLL After finding these Processes you can terminate the Library. Tip: Before selecting this you must close and save your Program’s Data, because this Program erasing all Threads and Maybe Your Lose your data .TerminateThread is a dangerous function that should only be used in the most extreme cases. You should call TerminateThread only if you know exactly what the target thread is doing, and you control all of the code that the target thread could possibly be running at the time of the termination. Down load’s Link Full Source Code with Binary https://www.rootkit.com/vault/neocrackr/Rootkits_Unloader.rar (286 hits)
rootkit.nl – rootkit detector (1512 hits)
Rootkits: The “r00t” of Digital Evil – Viruses, worms, trojans, spyware and rootkits abound in the maelstorm of modern malware. Rootkits easily stand out as the greatest threat to site security. To combat this growing problem, administrators need to understand how they work. (1014 hits)
Russian Rootkits Project – Russian Rootkits Project. (89 hits)
Samuel Jackson Sound Board – this is funny, you MUST try it (1641 hits)
The Injecting Dlls Into Processes – this is a too for Injecting Dlls Into Processes , free source code VB 6 + Exe Binary (169 hits)
tripatourium – (899 hits)
Universitas Virtualis – Universitas Virtualis offers with it’s own powerful bibliotheca system a comprehensive knowledge base for topics like Algorithms, Software-Engineering, Software-Protection and Reverse Code Engineering, Cryptography and Cryptanalysis. The Bibliotheca offers access to important research papers and grey papers to provide a wide range of available knowledge. (909 hits)
worms archive – (1333 hits)
XEN – The Xen virtual machine monitor (814 hits)
XFOCUS (they have english version) – looks to be a good site (1297 hits)
zone-h 0day rumor – a list with alot of noise and very little signal, but interesting none the less (1404 hits)
[ X- Zero-Day ] – The dumping ground for Zero-Day Exploits.. The following entries are active zero-day vulnerabilities. Exploits that do not have any published vendor-supplied patch. (135 hits)

Windows Rootkit相关链接
[ 1] Avoiding Windows Rootkit Detection/Bypassing PatchFinder 2 – Edgar Barbosa[2004-02-17]
http://www.geocities.com/embarbosa/bypass/bypassEPA.pdf

[ 2] TOCTOU with NT System Service Hooking
http://www.securityfocus.com/archive/1/348570

TOCTOU with NT System Service Hooking Bug Demo
http://www.securesize.com/Resources/hookdemo.shtml

[ 3] Hooking Windows NT System Services
http://www.windowsitlibrary.com/content/356/06/1.html
http://www.windowsitlibrary.com/content/356/06/2.html

[ 4] NTIllusion: A portable Win32 userland rootkit – Kdm <Kodmaker@syshell.org>
http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt

[ 5] Kernel-mode backdoors for Windows NT – firew0rker <firew0rker@nteam.ru>
http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt

[ 6] Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept) – Tan Chew Keong[2004-05-23]
http://www.security.org.sg/code/kproccheck.html
http://www.security.org.sg/code/KProcCheck-0.1.zip

[ 7] port/connection hiding – akcom[2004-06-18]
http://www.rootkit.com/newsread_print.php?newsid=143

[ 8] Process Invincibility – metro_mystery[2004-06-13]
http://www.rootkit.com/newsread_print.php?newsid=139

[ 9] KCode Patching – hoglund[2004-06-06]
http://www.rootkit.com/newsread_print.php?newsid=152
http://www.rootkit.com/vault/hoglund/migbot.zip

[10] Hiding Window Handles through Shadow Table Hooking on Windows XP – metro_mystery[2004-06-12]
http://www.rootkit.com/newsread_print.php?newsid=137

[11] hooking functions not exported by ntoskrnl – akcom[2004-07-02]
http://www.rootkit.com/newsread_print.php?newsid=151

[12] A method of get the Address of PsLoadedModuleList – stoneclever[2004-06-10]
http://www.rootkit.com/newsread_print.php?newsid=135

[13] Fun with Kernel Structures (Plus FU all over again) – fuzen_op[2004-06-08]
http://www.rootkit.com/newsread_print.php?newsid=134
http://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip

[14] Getting Kernel Variables from KdVersionBlock, Part 2 – ionescu007[2004-07-11]
http://www.rootkit.com/newsread_print.php?newsid=153

[15] Byepass Scheduler List Process Detection – SoBeIt <kinvis@hotmail.com>[2004-04-25]
http://www.rootkit.com/newsread_print.php?newsid=117

[16] Detecting Hidden Processes by Hooking the SwapContext Function – worthy[2004-08-03]
http://www.rootkit.com/newsread_print.php?newsid=170