Book description
While forensic analysis has proven to be a valuable investigative tool in the field of computer security, utilizing anti-forensic technology makes it possible to maintain a covert operational foothold for extended periods, even in a high-security environment. Adopting an approach that favors full disclosure, the updated Second Edition of The Rootkit Arsenal presents the most accessible, timely, and complete coverage of forensic countermeasures. This book covers more topics, in greater depth, than any other currently available. In doing so the author forges through the murky back alleys of the Internet, shedding light on material that has traditionally been poorly documented, partially documented, or intentionally undocumented.
The range of topics presented includes how to:
-Evade post-mortem analysis
-Frustrate attempts to reverse engineer your command & control modules
-Defeat live incident response
-Undermine the process of memory analysis
-Modify subsystem internals to feed misinformation to the outside
-Entrench your code in fortified regions of execution
-Design and implement covert channels
-Unearth new avenues of attack
Table of contents
- Cover
- Title Page
- Copyright
- Contents
- Preface
-
Part I: Foundations
-
Chapter 1 Empty Cup Mind
- 1.1 An Uninvited Guest
-
1.2 Distilling a More Precise Definition
- The Attack Cycle
- The Role of Rootkits in the Attack Cycle
- Single-Stage Versus Multistage Droppers
- Other Means of Deployment
- A Truly Pedantic Definition
- Don’t Confuse Design Goals with Implementation
- Rootkit Technology as a Force Multiplier
- The Kim Philby Metaphor: Subversion Versus Destruction
- Why Use Stealth Technology? Aren’t Rootkits Detectable?
- 1.3 Rootkits != Malware
- 1.4 Who Is Building and Using Rootkits?
- 1.5 Tales from the Crypt: Battlefield Triage
- 1.6 Conclusions
-
Chapter 2 Overview of Anti-Forensics
- Everyone Has a Budget: Buy Time
- 2.1 Incident Response
-
2.2 Computer Forensics
- Aren’t Rootkits Supposed to Be Stealthy? Why AF?
- Assuming the Worst-Case Scenario
- Classifying Forensic Techniques: First Method
- Classifying Forensic Techniques: Second Method
- Live Response
- When Powering Down Isn’t an Option
- The Debate over Pulling the Plug
- To Crash Dump or Not to Crash Dump
- Postmortem Analysis
- Non-Local Data
- 2.3 AF Strategies
- 2.4 General Advice for AF Techniques
- 2.5 John Doe Has the Upper Hand
- 2.6 Conclusions
-
Chapter 3 Hardware Briefing
- 3.1 Physical Memory
- 3.2 IA-32 Memory Models
-
3.3 Real Mode
- Case Study: MS-DOS
- Isn’t This a Waste of Time? Why Study Real Mode?
- The Real-Mode Execution Environment
- Real-Mode Interrupts
- Segmentation and Program Control
- Case Study: Dumping the IVT
- Case Study: Logging Keystrokes with a TSR
- Case Study: Hiding the TSR
- Case Study: Patching the TREE.COM Command
- Synopsis
- 3.4 Protected Mode
- 3.5 Implementing Memory Protection
- Chapter 4 System Briefing
-
Chapter 5 Tools of the Trade
- 5.1 Development Tools
- 5.2 Debuggers
-
5.3 The KD.exe Kernel Debugger
- Different Ways to Use a Kernel Debugger
- Physical Host–Target Configuration
- Preparing the Hardware
- Preparing the Software
- Launching a Kernel–Debugging Session
- Controlling the Target
- Virtual Host-Target Configuration
- Useful Kernel-Mode Debugger Commands
- List Loaded Modules Command (lm)
- !process
- Registers Command (r)
- Working with Crash Dumps
- Method No. 1: PS/2 Keyboard Trick
- Method No. 2: KD.exe Command
- Method No. 3: NotMyFault.exe
- Crash Dump Analysis
- Chapter 6 Life in Kernel Space
-
Chapter 1 Empty Cup Mind
-
Part II: Postmortem
-
Chapter 7 Defeating Disk Analysis
- 7.1 Postmortem Investigation: An Overview
- 7.2 Forensic Duplication
- 7.3 Volume Analysis
-
7.4 File System Analysis
- Recovering Deleted Files
- Recovering Deleted Files: Countermeasures
- Enumerating ADSs
- Enumerating ADSs: Countermeasures
- Recovering File System Objects
- Recovering File System Objects: Countermeasures
- Out-of-Band Concealment
- In-Band Concealment
- Enter: FragFS
- Application-Level Concealment
- Acquiring Metadata
- Acquiring Metadata: Countermeasures
- Altering Time Stamps
- Altering Checksums
- Identifying Known Files
- Cross-Time Versus Cross-View Diffs
- Identifying Known Files: Countermeasures
- 7.5 File Signature Analysis
- 7.6 Conclusions
-
Chapter 8 Defeating Executable Analysis
- 8.1 Static Analysis
- 8.2 Subverting Static Analysis
- 8.3 Runtime Analysis
-
8.4 Subverting Runtime Analysis
- Tracing Countermeasures
- API Tracing: Evading Detour Patches
- API Tracing: Multistage Loaders
- Instruction-Level Tracing: Attacking the Debugger
- Break Points
- Detecting a User-Mode Debugger
- Detecting a Kernel-Mode Debugger
- Detecting a User-Mode or a Kernel-Mode Debugger
- Detecting Debuggers via Code Checksums
- The Argument Against Anti-Debugger Techniques
- Instruction-Level Tracing: Obfuscation
- Obfuscating Application Data
- Obfuscating Application Code
- Hindering Automation
- Countering Runtime Composition Analysis
- 8.5 Conclusions
-
Chapter 7 Defeating Disk Analysis
-
Part III: Live Response
- Chapter 9 Defeating Live Response
- Chapter 10 Building Shellcode in C
- Chapter 11 Modifying Call Tables
-
Chapter 12 Modifying Code
- Types of Patching
- In-Place Patching
- Detour Patching
- Prologue and Epilogue Detours
- Detour Jumps
-
12.1 Tracing Calls
- Detour Implementation
- Acquire the Address of the NtSetValueKey()
- Initialize the Patch Metadata Structure
- Verify the Original Machine Code Against a Known Signature
- Save the Original Prologue and Epilogue Code
- Update the Patch Metadata Structure
- Lock Access and Disable Write-Protection
- Inject the Detours
- The Prologue Detour
- The Epilogue Detour
- Postgame Wrap-Up
- 12.2 Subverting Group Policy
- 12.3 Bypassing Kernel-Mode API Loggers
- 12.4 Instruction Patching Countermeasures
- Chapter 13 Modifying Kernel Objects
- Chapter 14 Covert Channels
- Chapter 15 Going Out-of-Band
- Part IV: Summation
- Index
- Photo Credits
Product information
- Title: The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition
- Author(s):
- Release date: March 2012
- Publisher(s): Jones & Bartlett Learning
- ISBN: 9781449626372
You might also like
book
The Antivirus Hacker's Handbook
Hack your antivirus software to stamp out future vulnerabilities The Antivirus Hacker's Handbook guides you through …
book
Antivirus Bypass Techniques
Develop more secure and effective antivirus solutions by leveraging antivirus bypass techniques Key Features Gain a …
book
Rootkits: Subverting the Windows Kernel
"It's imperative that everybody working in the field of cyber-security read this book to understand the …
book
Hacking Exposed Mobile
Proven security tactics for today's mobile apps, devices, and networks "A great overview of the new …