找回密码
 立即注册
tophetBootkit内核and | 企业管理 2022-09-19 86 0star收藏 版权: . 保留作者信息 . 禁止商业使用 . 禁止修改作品
这篇文章提醒了一种新式的Bootkit技术:Tophet,以及其第一代范本Tophet.a使用的一些新颖的技术。Tophet.a并非病毒或木马,只用来演示高档的启动、穿透与隐身技术。Bootkit是更高档的Rootkit,该概念最早于2005年被eEyeDigital企业在他们的“BootRoot项目中提及,该项目通过传染MBR(磁盘主引记录)的方法,实现绕过内核检测和启动隐身。可以认为,一切在开机时比Windows内核更早加载,实现内核劫持的技术,都可以称之为Bootkit,例如后来的BIOSRootkit,VBootkit,SMMRootkit等。在如今MBR\BootSector\NtOSLoader这些众所周之的方位都被HIPS监视软件、检测软件严防死守,而BIOS,SMM,ROMfirmware之类的启动方位又存在被确定或通用性不够好的时候,如何简单、通用,又有效地进行Windows内核启动劫持呢?Tophet.a使用了一种新的方法:NtBootdd.sys。一起,Tophet.a提醒了一些磁盘级的穿透、隐藏技术,可以穿透现在一切防护软件,进行安装,一起在现在任何Rootkit文件检测技术下隐身。
高档Bootkit-tophet.doc

(This article is a reminder of a new kind of Bootkit technology: Tophet, and some novel techniques used by its first-generation template, Tophet.a. Tophet.a is not a virus or Trojan horse, it is only used to demonstrate high-end startup, penetration and stealth technology. Bootkit is a more advanced Rootkit. The concept was first mentioned by eEyeDigital in their "BootRoot project" in 2005. This project bypasses kernel detection and starts stealth by infecting MBR (disk master record). It is believed that all technologies that are loaded earlier than the Windows kernel at boot time and realize kernel hijacking can be called Bootkit, such as later BIOSRootkit, VBootkit, SMMRootkit, etc. In today's well-known locations of MBR\BootSector\NtOSLoader All are strictly guarded by HIPS monitoring software and detection software, and when the startup directions such as BIOS, SMM, ROMfirmware are determined or the generality is not good enough, how to simply, universally and effectively carry out Windows kernel boot hijacking? Tophet .a uses a new method: NtBootdd.sys. At the same time, Tophet.a reminds some disk-level penetration and concealment technologies, which can penetrate all current protection software, install it, and detect any rootkit files at the same time. Incognito.
Premium Bootkit-tophet.doc)

[下载]09224423550.rar




上一篇:Windows XP 里如何对文件进行加密
下一篇:科来网络回溯分析案例集