2008年7月26日星期六

#1 - Hypervisor based security solution

Hypervisor based rootkits - evolvement

Today, I would like to give a talk about Hypervisor based rootkits and relative  security solution. It is a series of talks.  First, let's to reveiw rootkits evolvement.

•First Generation Rootkits
–Replaced / Modified system files on the victim’s harddisk
•Second generation Rootkits
–Modify static OS components / structures loaded in memory
•Table based hooking approaches (IAT, EAT, SSDT, IDT)
•Inline function hooking
•Kernel and user mode rootkits
•Third Generation Rootkits
–Modify dynamic OS objects loaded in memory
•Direct Kernel Object manipulation (DKOM)
•Kernel Objects represent just about everything in the system (processes, threads, drivers, security tokens, etc…) so the possibilities are virtually unlimited.
•Exclusively kernel mode rootkits
•Fourth Generation Rootkits
–Virtual memory subversion
•Modify the page table - ITLB & DTLB e.g. Shadow Walker
•Fifth Generation Virtualization based – Blue pill, SubVirt
–No hooks in system!

没有评论: