Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rootkits in Windows XP  What they are and how they work.

Published byDiana Stone Modified over 8 years ago

Similar presentations

Presentation on theme: "Rootkits in Windows XP  What they are and how they work."— Presentation transcript:

1 Rootkits in Windows XP  What they are and how they work

2 What is a rootkit?  Name comes from UNIX Administrator account “root” and “kit” refers to a collection of tools.  Used to hide and preserve the presence of a hacker on a system.

3 Classification of Rootkits  Persistent Rootkits-stored on a fixed disk and survive system reboots  Non-Persistent Rootkits-do not survive reboots

4 User Mode vs Kernel Mode rootkits  Processes in Windows XP run in one of two modes of execution:  User Mode: limited access to system  Most applications run in user mode  User Mode rootkits are limited to altering the behavior of a single process  Kernel Mode: full access to system  Device drivers and operating system code run here  Kernel Mode rootkits can alter the behavior of the entire system

5 How do rootkits work?  Rootkits hide and preserve the presence of a hacker on a system by:  Altering the flow of execution:  Hooking  Import Address Table Hooking  System Service Descriptor Table Hooking  Inline Function Hooking  Layered filter drivers  Altering kernel data used in system accounting  Direct Kernel Object Manipulation (DKOM)

6 Import Address Table (IAT) Hooking  User Mode rootkits  IAT is a table of pointers that point to memory locations of imported API functions  Rootkits change a pointer in the table to point to some rootkit function  Function is now “hooked”  Hook is limited to one process

7 System Service Descriptor Table (SSDT) Hooking  Kernel Mode rootkits  The SSDT is a single kernel table that stores pointers to system API functions  Hooks affect entire system instead of a single process like IAT hooks

8 Inline Function Hooking  User mode rootkits  Directly alters imported functions in a process’s memory space  Overwrites preamble with a JMP instruction to some rootkit code

9 Layered Filter Drivers  Kernel mode rootkits  Legitimately used by Firewalls and Anti- Virus Scanners  Layered filter driver rootkits can filter out certain files from a directory listing  Accomplished at much lower level of the OS than hooking

10 Direct Kernel Object Manipulation (DKOM)  Kernel mode rootkits  Direct manipulation of \Device\PhysicalMemory Object  DKOM rootkits are able to hide things from the entire system  Most powerful of the techniques

11 DKOM Example: Hiding a Process  EPROCESS is a linked list that maintains a list of active processes  A removed node is called a Ghost Process

12

13 The End

Download ppt "Rootkits in Windows XP  What they are and how they work."

Similar presentations

More on File Management

More on File Management
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
VICE – Catch the hookers! (Plus new rootkit techniques)

VICE – Catch the hookers! (Plus new rootkit techniques)
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
File Management Systems

File Management Systems
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Introduction to Kernel

Introduction to Kernel
6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.

6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
OPERATING SYSTEMS Introduction

OPERATING SYSTEMS Introduction
Chapter 12 File Management Systems

Chapter 12 File Management Systems
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Operating System Organization

Operating System Organization
7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.

7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.
* SOFTWARE * Computer software, or just software, is a collection of computer programs and related data that provides the instructions. It can not be touched.

* SOFTWARE * Computer software, or just software, is a collection of computer programs and related data that provides the instructions. It can not be touched.

Similar presentations

Ads by Google