windows rootkit 有用链接(转载)
2007-10-02 10:38
309 查看
[ 1] Avoiding Windows Rootkit Detection/Bypassing PatchFinder 2 - Edgar Barbosa[2004-02-17] http://www.geocities.com/embarbosa/bypass/bypassEPA.pdf
[ 2] TOCTOU with NT System Service Hooking http://www.securityfocus.com/archive/1/348570
TOCTOU with NT System Service Hooking Bug Demo http://www.securesize.com/Resources/hookdemo.shtml
[ 3] Hooking Windows NT System Services http://www.windowsitlibrary.com/content/356/06/1.html http://www.windowsitlibrary.com/content/356/06/2.html
[ 4] NTIllusion: A portable Win32 userland rootkit - Kdm <Kodmaker@syshell.org> http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt
[ 5] Kernel-mode backdoors for Windows NT - firew0rker <firew0rker@nteam.ru> http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt
[ 6] Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept) - Tan Chew Keong[2004-05-23] http://www.security.org.sg/code/kproccheck.html http://www.security.org.sg/code/KProcCheck-0.1.zip http://www.security.org.sg/code/KProcCheck-0.2beta1.zip
[ 7] port/connection hiding - akcom[2004-06-18] http://www.rootkit.com/newsread_print.php?newsid=143
[ 8] Process Invincibility - metro_mystery[2004-06-13] http://www.rootkit.com/newsread_print.php?newsid=139
[ 9] KCode Patching - hoglund[2004-06-06] http://www.rootkit.com/newsread_print.php?newsid=152 http://www.rootkit.com/vault/hoglund/migbot.zip
[10] Hiding Window Handles through Shadow Table Hooking on Windows XP - metro_mystery[2004-06-12] http://www.rootkit.com/newsread_print.php?newsid=137
[11] hooking functions not exported by ntoskrnl - akcom[2004-07-02] http://www.rootkit.com/newsread_print.php?newsid=151
[12] A method of get the Address of PsLoadedModuleList - stoneclever[2004-06-10] http://www.rootkit.com/newsread_print.php?newsid=135
[13] Fun with Kernel Structures (Plus FU all over again) - fuzen_op[2004-06-08] http://www.rootkit.com/newsread_print.php?newsid=134 http://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip
[14] Getting Kernel Variables from KdVersionBlock, Part 2 - ionescu007[2004-07-11] http://www.rootkit.com/newsread_print.php?newsid=153
[15] Byepass Scheduler List Process Detection - SoBeIt <kinvis@hotmail.com> [2004-04-25] http://www.rootkit.com/newsread_print.php?newsid=117
[16] Detecting Hidden Processes by Hooking the SwapContext Function - kkasslin[2004-08-03] http://www.rootkit.com/newsread_print.php?newsid=170
[17] Loading Rootkit using SystemLoadAndCallImage - Greg Hoglund <hoglund@ieway.com> [2000-08-29] http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0114.html http://seclists.org/lists/bugtraq/2000/Aug/0408.html http://marc.theaimsgroup.com/?l=ntbugtraq&m=96766147118874&w=2 http://www.securityfocus.com/archive/1/79379/2002-11-30/2002-12-06/0
[18] A *REAL* NT Rootkit, patching the NT Kernel - Greg Hoglund <hoglund@ieway.com> [1999-09-09] http://www.phrack.org/phrack/55/P55-05
[19] Win2K/XP SDT Restore 0.2 (Proof-Of-Concept) - Tan Chew Keong[2004-10-01] http://www.security.org.sg/code/sdtrestore.html http://www.security.org.sg/code/SDTrestore-0.1.zip http://www.security.org.sg/code/SDTrestore-0.2.zip
Disabling Sebek Win32 Client by Direct Service Table Restoration - Tan Chew Keong[2004-07-17] http://www.security.org.sg/vuln/sebek215-2.html
[20] Sebek is a tool to capture the attacker's activities on a honeypot http://www.honeynet.org/tools/sebek/
Sebek client for Win2000 and WinXP http://www.honeynet.org/tools/sebek/sebek-win32-2.1.5-src.zip
[21] Advanced Windows 2000 Rootkits Detection - Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl> http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/rutkowski-antirootkit.zip
[22] Windows Key Logging and Counter-Measures - Chew Keong TAN <chewkeong@hotmail.com> http://pachome2.pacific.net.sg/~chewkeong/keylogr.pdf
[23] Windows NT System-Call Hooking/Dr. Dobb's Journal January 1997 - Mark Russinovich <mark@osr.com> and Bryce Cogswell <cogswell@cs.uoregon.edu> http://www.exetools.com/forum/showthread.php?p=23296 http://www.exetools.com/forum/attachment.php?attachmentid=1751(9701.rar 253.6KB)
(three post minimum required)
[24] Kernel Filter Driver Example & Article(非常不错)
Designing A Kernel Key Logger/A Filter Driver Tutorial - Clandestiny <clandestiny@despammed.com> [2004-09-01] http://www.woodmann.net/forum/showthread.php?t=6312 http://www.woodmann.net/forum/attachment.php?attachmentid=1084(Klog 1.0.zip 139.8KB)
[25] Hide'n'Seek? Anatomy of Stealth Malware http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-erdelyi/bh-eu-04-erdelyi-paper.pdf (对rootkit隐藏手段进行概述性介绍,没有太多意义)
[26] A more stable way to locate real KiServiceTable - 90210[2004-08-12] http://www.rootkit.com/newsread_print.php?newsid=176
[27] Bypassing SDT Restore tool - Opc0de[2004-10-11] http://www.rootkit.com/newsread_print.php?newsid=200 http://www.rootkit.com/vault/Opc0de/Bypassing_SDT_Restore.zip
[28] Writing Trojans that bypass Windows XP Service Pack 2 Firewall - <americanidiot@hushmail.com> [2004-10-12] http://marc.theaimsgroup.com/?l=full-disclosure&m=109759186016337&w=2
[29] Concepts for the Stealth Windows Rootkit - Joanna Rutkowska <joanna@mailsnare.net> [2003-09] http://invisiblethings.org/papers/chameleon_concepts.pdf
[30] Rootkits Detection on Windows Systems - Joanna Rutkowska <joanna@invisiblethings.org> [2004-10] http://invisiblethings.org/papers/ITUnderground2004_Win_rtks_detection.ppt
[31] OMCD - Open Methodology for Compromise Detection by Joanna Rutkowska <omcd@isecom.org> http://www.isecom.org/projects/omcd.shtml http://isecom.securenetltd.com/omcs.outline.v.0.1.pdf
[32] Windows rootkits of 2005 - James Butler <james.butler@hbgary.com>, Sherri Sparks <ssparks@longwood.cs.ucf.edu> [2005-11-04] http://www.securityfocus.com/infocus/1850 http://www.securityfocus.com/infocus/1851 http://www.securityfocus.com/infocus/1854 http://www.securityfocus.com/print/infocus/1850 http://www.securityfocus.com/print/infocus/1851 http://www.securityfocus.com/print/infocus/1854 (xuna推荐)
[33] Implementing malware with virtual machines - Samuel T. King, Peter M. Chen http://www.eecs.umich.edu/Rio/papers/king06.pdf
how to detect VMM using (almost) one CPU instruction - Joanna Rutkowska <joanna@invisiblethings.org> http://invisiblethings.org/tools/redpill.c http://invisiblethings.org/tools/redpill.exe
[ 2] TOCTOU with NT System Service Hooking http://www.securityfocus.com/archive/1/348570
TOCTOU with NT System Service Hooking Bug Demo http://www.securesize.com/Resources/hookdemo.shtml
[ 3] Hooking Windows NT System Services http://www.windowsitlibrary.com/content/356/06/1.html http://www.windowsitlibrary.com/content/356/06/2.html
[ 4] NTIllusion: A portable Win32 userland rootkit - Kdm <Kodmaker@syshell.org> http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt
[ 5] Kernel-mode backdoors for Windows NT - firew0rker <firew0rker@nteam.ru> http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt
[ 6] Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept) - Tan Chew Keong[2004-05-23] http://www.security.org.sg/code/kproccheck.html http://www.security.org.sg/code/KProcCheck-0.1.zip http://www.security.org.sg/code/KProcCheck-0.2beta1.zip
[ 7] port/connection hiding - akcom[2004-06-18] http://www.rootkit.com/newsread_print.php?newsid=143
[ 8] Process Invincibility - metro_mystery[2004-06-13] http://www.rootkit.com/newsread_print.php?newsid=139
[ 9] KCode Patching - hoglund[2004-06-06] http://www.rootkit.com/newsread_print.php?newsid=152 http://www.rootkit.com/vault/hoglund/migbot.zip
[10] Hiding Window Handles through Shadow Table Hooking on Windows XP - metro_mystery[2004-06-12] http://www.rootkit.com/newsread_print.php?newsid=137
[11] hooking functions not exported by ntoskrnl - akcom[2004-07-02] http://www.rootkit.com/newsread_print.php?newsid=151
[12] A method of get the Address of PsLoadedModuleList - stoneclever[2004-06-10] http://www.rootkit.com/newsread_print.php?newsid=135
[13] Fun with Kernel Structures (Plus FU all over again) - fuzen_op[2004-06-08] http://www.rootkit.com/newsread_print.php?newsid=134 http://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip
[14] Getting Kernel Variables from KdVersionBlock, Part 2 - ionescu007[2004-07-11] http://www.rootkit.com/newsread_print.php?newsid=153
[15] Byepass Scheduler List Process Detection - SoBeIt <kinvis@hotmail.com> [2004-04-25] http://www.rootkit.com/newsread_print.php?newsid=117
[16] Detecting Hidden Processes by Hooking the SwapContext Function - kkasslin[2004-08-03] http://www.rootkit.com/newsread_print.php?newsid=170
[17] Loading Rootkit using SystemLoadAndCallImage - Greg Hoglund <hoglund@ieway.com> [2000-08-29] http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0114.html http://seclists.org/lists/bugtraq/2000/Aug/0408.html http://marc.theaimsgroup.com/?l=ntbugtraq&m=96766147118874&w=2 http://www.securityfocus.com/archive/1/79379/2002-11-30/2002-12-06/0
[18] A *REAL* NT Rootkit, patching the NT Kernel - Greg Hoglund <hoglund@ieway.com> [1999-09-09] http://www.phrack.org/phrack/55/P55-05
[19] Win2K/XP SDT Restore 0.2 (Proof-Of-Concept) - Tan Chew Keong[2004-10-01] http://www.security.org.sg/code/sdtrestore.html http://www.security.org.sg/code/SDTrestore-0.1.zip http://www.security.org.sg/code/SDTrestore-0.2.zip
Disabling Sebek Win32 Client by Direct Service Table Restoration - Tan Chew Keong[2004-07-17] http://www.security.org.sg/vuln/sebek215-2.html
[20] Sebek is a tool to capture the attacker's activities on a honeypot http://www.honeynet.org/tools/sebek/
Sebek client for Win2000 and WinXP http://www.honeynet.org/tools/sebek/sebek-win32-2.1.5-src.zip
[21] Advanced Windows 2000 Rootkits Detection - Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl> http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/rutkowski-antirootkit.zip
[22] Windows Key Logging and Counter-Measures - Chew Keong TAN <chewkeong@hotmail.com> http://pachome2.pacific.net.sg/~chewkeong/keylogr.pdf
[23] Windows NT System-Call Hooking/Dr. Dobb's Journal January 1997 - Mark Russinovich <mark@osr.com> and Bryce Cogswell <cogswell@cs.uoregon.edu> http://www.exetools.com/forum/showthread.php?p=23296 http://www.exetools.com/forum/attachment.php?attachmentid=1751(9701.rar 253.6KB)
(three post minimum required)
[24] Kernel Filter Driver Example & Article(非常不错)
Designing A Kernel Key Logger/A Filter Driver Tutorial - Clandestiny <clandestiny@despammed.com> [2004-09-01] http://www.woodmann.net/forum/showthread.php?t=6312 http://www.woodmann.net/forum/attachment.php?attachmentid=1084(Klog 1.0.zip 139.8KB)
[25] Hide'n'Seek? Anatomy of Stealth Malware http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-erdelyi/bh-eu-04-erdelyi-paper.pdf (对rootkit隐藏手段进行概述性介绍,没有太多意义)
[26] A more stable way to locate real KiServiceTable - 90210[2004-08-12] http://www.rootkit.com/newsread_print.php?newsid=176
[27] Bypassing SDT Restore tool - Opc0de[2004-10-11] http://www.rootkit.com/newsread_print.php?newsid=200 http://www.rootkit.com/vault/Opc0de/Bypassing_SDT_Restore.zip
[28] Writing Trojans that bypass Windows XP Service Pack 2 Firewall - <americanidiot@hushmail.com> [2004-10-12] http://marc.theaimsgroup.com/?l=full-disclosure&m=109759186016337&w=2
[29] Concepts for the Stealth Windows Rootkit - Joanna Rutkowska <joanna@mailsnare.net> [2003-09] http://invisiblethings.org/papers/chameleon_concepts.pdf
[30] Rootkits Detection on Windows Systems - Joanna Rutkowska <joanna@invisiblethings.org> [2004-10] http://invisiblethings.org/papers/ITUnderground2004_Win_rtks_detection.ppt
[31] OMCD - Open Methodology for Compromise Detection by Joanna Rutkowska <omcd@isecom.org> http://www.isecom.org/projects/omcd.shtml http://isecom.securenetltd.com/omcs.outline.v.0.1.pdf
[32] Windows rootkits of 2005 - James Butler <james.butler@hbgary.com>, Sherri Sparks <ssparks@longwood.cs.ucf.edu> [2005-11-04] http://www.securityfocus.com/infocus/1850 http://www.securityfocus.com/infocus/1851 http://www.securityfocus.com/infocus/1854 http://www.securityfocus.com/print/infocus/1850 http://www.securityfocus.com/print/infocus/1851 http://www.securityfocus.com/print/infocus/1854 (xuna推荐)
[33] Implementing malware with virtual machines - Samuel T. King, Peter M. Chen http://www.eecs.umich.edu/Rio/papers/king06.pdf
how to detect VMM using (almost) one CPU instruction - Joanna Rutkowska <joanna@invisiblethings.org> http://invisiblethings.org/tools/redpill.c http://invisiblethings.org/tools/redpill.exe
相关文章推荐
- Linux学习之路--远程链接windows工具rdesktop-转载
- Windows Rootkit相关链接
- 【解决方法】Windows 2000\Windows 2003终端服务器超出最大允许链接数(转载)
- 从EXE的资源段提取sys文件-转载自(rootkit:subverting the windows kernel)
- Windows Rootkit相关链接
- 有用的链接,待看完后转载
- 一个有用的Windows服务小程序——用来完成Server端的Socket通信[转载]
- windows定时执行PHP的技巧(转载)有用的文章
- Windows Rootkit相关链接[转]
- (转载)探测远程Windows主机的NetBIOS信息
- 转载:鲜为人知的Windows“插件”MSI
- Windows Phone 开发有用链接
- 转载一份:【超详细教程】使用Windows Live Writer 2012和Office Word 2013 发布文章到博客园全面总结
- 转载:vmware 配置实例-linux host + windows guest + firewall
- Java语言的编译,链接,转载
- 新手入门 Windows下Oracle 8i安装图解(转载)
- windows-PHP5安装配置指南(转载)
- web.xml文件的作用及基本配置(转载以防找不到原文链接)
- 新动向--网址链接转载等