Rootkit的学习与研究
技术是双刃剑,我们研究它的意图在于,透过我们的研究,用这项技术来维护我们的系统,使我们的系统愈加强大,充沛发挥这个技术的正面使用。关于ROOTKIT专题的研究,首要触及的技术有如下部分:1.内核hook关于hook,从ring3有很多,ring3到ring0也有很多,依据api调用环节递进的次序,在每一个环节都有hook的时机,可以有int2e或者sysenterhook,ssdthook,inlinehook,irphook,objecthook,idthook等等。在这里,我们逐一介绍。1)objecthook2)ssdthook3)inline-hook4)idthook5)IRPhook6)SYSENTERhook7)IATHOOK8)EATHOOK2.维护模式华章第一部分:ring3进ring0之门1)通过调用门访问内核2)通过中止门访问内核3)通过命令门访问内核4)通过陷阱门访问内核3。维护模式华章第二部分:windows分页机制Rootkit的学习与研究(Technology is a double-edged sword, and our intention to study it is to use this technology to maintain our system through our research, to make our system more powerful, and to give full play to the positive use of this technology. Regarding the research on the topic of ROOTKIT, the first technologies involved are as follows: 1. There are many kernel hooks about hooks, ranging from ring3 to ring0. According to the progressive order of the api calling links, there are hook opportunities in each link. , There can be int2e or sysenterhook, ssdthook, inlinehook, irphook, objecthook, idthook and so on. Here, we introduce them one by one. 1) objecthook2) ssdthook3) inline-hook4) idthook5) IRPhook6) SYSENTERhook7) IATHOOK8) EATHOOK2. Maintenance Mode Hua Chapter Part 1: The gate of ring3 into ring0 1) Access the kernel through the call gate 2) Access the kernel through the abort gate 3) Through the command gate Accessing core 4) Accessing core 3 through the trap gate. The second part of the maintenance mode chapter: the study and research of the rootkit of windows paging mechanism)
页:
[1]