LiangϰƷ - Rootkitʵ

ʵϰLiangϰɹWindows XP SP2ϡС漰WindowsHIPSҵƷǱȱʵػӱܵļɴѾȥ֮⣬ɴhttp://blogs.msdn.com/secureأָͨchenliang0817@hotmail.comȡϵLiangϰļ򵥽£

		Win32ƽ̨µRootkitϰ Codename: Zion by Liang

ZionһRootkit⣬(Liang)ȫĹ֣ⲿоԺһʵϰͬѧɣܹܳİȫ⹤ǱϰеĹؼЩеں˼Rootkitؼһһǽʵ֡ûͨضﵽضĿ

Ŀǰʵְ

A ҹϵͳؽļ 
ûûģʽԶҹڻдں̬ں̬󣬳һηǷҳŸַ̡ʽʹSSDT HOOKĴڣҲ޷֪HOOK һģ飨ΪηǷҳκģĵַռ䷶ΧУﵽĿġǱϰһڡ

B DKOMʽؽ̡ģ 
DKOMûкܺõĴ˼·ΨһԭǷ⹤ߵԭȻƶӦִ޸ķԼעֿƹICESword⡣ȻIceSwordʹֲͬķʽֱڴķʽ޷ͨDKOMʽƹ

C ǲ̹ҹʽϢ 
ڡSubverting the Windows KernelиTCPӵʾ룬ϰڴ˻϶ƣʹܹƹһЩAnti-rootkitIceSwordļ⣨ԭ沢ƹ˹˹ܣûԶҪصipϢ˿ڣǳѺã⣬tcpipвѯϢĴ룬UDPزѯṹʵUDPͨŵء

D ļʵļļ 
޸Winodws DDKSample Code: Sfilter ɾȥ˺ܶ๦ܣ磬̬󶨾ȡ ַʽǲ̹ҹԭƣûʵ壬ΪZionԶ롣

E ҹעѯʵע 
οPediyġҲ̸rootkit עϢء

F Լ⹤ߵһܽ 
Cross-View⼼ɨں˴HookļҪȷȷԣͱ뱣֤õļRootkitײ㡣Zion Rootkit֮ƹIceSwordںģ顢˿Ϣעļ⣬ΪֶϣZionʹ˸Ϊײļ

ӱϽں̬Rootkit֮ԴڣΪWindowsΪ߲ѯЧʣںԤϢ磺WindowsñEPROCESSķʽöٽ̣ȻCPUȵλ̣߳EPROCESSӰ쵽CPU̵߳ĵȡ⹤ܹҵCPU̵߳ʵö٣ôõĽؽ׼ȷģųShadow WalkerRootkitΪһRootkitCPU߳бô߳̽ԶòִУֲӦΪɾǡء

ô˵Windowsں˼м⼼Զǲɿġں˼Rootkitȼߣʵֿɿ⡣ϵͳ⻯ģʽУ֮Ͻʵʱ⣬һֱȽķNorth Security Labs ƳHypersight RDΪ£Rootkitϲ֪֮ϵļĴڡǣĿǰµӲRootkitּⷽʽҲǲɿġBluepill Rootkit 
