2008年12月23日星期二
2008年9月25日星期四
Disclosure Windows Kernel - Kernel time
Using below code segment:PKPRCB Prcb;
ULONG ulKeTime = 0;
Prcb = KeGetCurrentPrcb();
ulKeTime = Prcb->KernelTime;
The prototype of KeGetCurrentPrcb isKPRCB* KeGetCurrentPrcb ( VOID )
Now, let's take a look at its code. It mainly has three rows instruction.
{
ULONG Value;
__asm mov eax, fs:[20h]
__asm mov [Value], eax
return (struct _KPRCB *) Value;
}
Another way is to get EPROCESS structure, then to locate KPROCESS fields.
The main fields of KPROCESS are followings:
DISPATCHER_HEADER Header
ULPTR DirectoryTableBase[2]
KGDTENTRY LdtDescriptor
KIDTENTRY Int21Descriptor
USHORT IopmOffset
UCHAR Ioplvolatile
KAFFINITY ActiveProcessors
ULONG KernelTime // here is kernel time
ULONG UserTime
LIST_ENTRY ReadyListHead
SINGLE_LIST_ENTRY SwapListEntry
LIST_ENTRY ThreadListHead
KSPIN_LOCK ProcessLock
2008年9月5日星期五
#2 - Hypervisor based security solution
- Detecting diverted execution paths
- Detecting alterations in the number, order, and frequency of system calls
- Fingerprint Identification
- Detects unauthorized changes to system files or to loaded OS components in memory
- Creates an initial baseline database containing their CRC values
- Periodically calculates and compares the CRC’s of these files against the initial trusted baseline
- Microsoft Strider Ghost, System Internals Rootkit Revealer, F-Secure Blacklight
2008年9月4日星期四
ThinkUtility - Proactive Protection against BOSDs
- A call to a kernel support routine results in a reschedule, such as waiting for an unsignaled dispacther object when the interrunpt request level(IRQL) is DPC/Dispatch level or higher.
- A page fault on memory backed by data in a paging file or a memory mapped file occures at an IRQL of DPC/Dispatch level or above (Which would require the memory manager to have to wait for an I/O operation to occur - and, as just stated, waits cannot occur at DPC/Dispatch level or higher because that would require a reschedule. )
- A device dirver or operating system function explicitly crashes the system (by calling the system function keBugCheckEx) because it detects an internal condition that indicates either a corruption or some other situation that indicates the system cannot continue execution w/o risking data corruption.
- A hardware error, such as a machine check or a nonmaskable interrupt(NMI), occurs.
- Unhandled exception
- OS or driver detects severe inconsistency
- Invalid memory references
- Hardware error
2008年7月26日星期六
#1 - Hypervisor based security solution
•First Generation Rootkits
–Replaced / Modified system files on the victim’s harddisk
•Second generation Rootkits
–Modify static OS components / structures loaded in memory
•Table based hooking approaches (IAT, EAT, SSDT, IDT)
•Inline function hooking
•Kernel and user mode rootkits
•Third Generation Rootkits
–Modify dynamic OS objects loaded in memory
•Direct Kernel Object manipulation (DKOM)
•Kernel Objects represent just about everything in the system (processes, threads, drivers, security tokens, etc…) so the possibilities are virtually unlimited.
•Exclusively kernel mode rootkits
•Fourth Generation Rootkits
–Virtual memory subversion
•Modify the page table - ITLB & DTLB e.g. Shadow Walker
•Fifth Generation Virtualization based – Blue pill, SubVirt
–No hooks in system!
Attention to ID Theft?
Two days ago, a 23-year-old Oregon man was sentenced this week to four years in federal prison for using computer viruses to steal financial data from dozens of consumers in U.S. Investigators say the man used the information to set up multiple eBay and PayPal accounts, which helped him sell more than $1 million worth of pirated software. From this news you can see that Keylogger is still a critical threat. According to Javelin Strategy & Research latest Survey, however, the number of US adult victims of identity fraud decreased from 10.1 million in 2003 and 9.3 million in 2005 to 8.4 million in 2007. Total one year fraud amount decreased from $55.7 billion in 2006 to $49.3 billion in 2007. The mean fraud amount per fraud victim decreased from $6,278 in 2006 to $5,720 in 2007. The mean resolution time was at a high of 40 hours per victim in 2006 and was reduced in 2007 to 25 hours per victim. The median resolution time has remained the same for each Survey year at 5 hours per victim.