BSD ROOTKIT 设计--内核黑客指引书(第7章)

7检测
7.1 检测调用挂勾
    7.1.1 检测系统调用挂勾
7.2 检测 DKOM
    7.2.1 查找隐藏的进程
    7.2.2 查找隐藏的端口
7.3 检测
[url=javascript:;]内核[/url]
[url=javascript:;]内存[/url]
运行时补丁
    7.3.1 查找嵌入函数挂勾
    7.3.2 查找代码字节补丁
7.4 小结
7
DETECTION
检测
We’ll now turn to the challenging world of
[url=javascript:;]rootkit[/url]
detection. In general, you can detect a rootkit in one of two ways:
either by signature or by behavior. Detecting by signature involves
scanning the operating system for a particular rootkit trait (e.g.,
inline function hooks). Detecting by behavior involves catching the
operating system in a “lie” (e.g., sockstat(1) lists two open
[url=javascript:;]ports[/url]
, but a port scan reveals three).
现
在我们将要进入检测rootkit的极具挑战性的世界。一般说来，你可以两种方式来检测rootkit：要么通过特征码，要么通过行为。通过特征码检测涉
及从操作系统搜索独特的rootkit特征(比如,内嵌函数挂勾)。通过行为检测涉及在操作系统捕捉"谎言"(比如，sockstat(1)列举出来有两
个开放的端口，但是端口扫描却显示有三个开放的端口)
In this chapter, you’ll learn how
to detect the different rootkit techniques described throughout this
book. Keep in mind, however, that rootkits and rootkit detectors are in
a perpetual arms race. When one side develops a
[url=javascript:;]new[/url]
technique, the other side develops a countermeasure. In other words, what works today may not work tomorrow.
本章中，你将学会如何检测本书中描述过的各种rootkit技术。记住，但是，rootkit和rootkit检测器处于永久的军事竞赛状态。每当一方开发出一种新的技术，另一方就开发出反制措施。换句话说，今天奏效的技术也许明天就会失效。
7.1 Detecting Call Hooks
7.1 检测调用挂勾
As
stated in Chapter 2, call hooking is really all about redirecting
function pointers. Therefore, to detect a call hook, you simply need to
determine whether or not a function pointer still points to its
original function. For example, you can determine if the mkdir system
call has been hooked by checking its sysent structure’s sy_call member.
If it points to any function other than mkdir, you’ve got yourself a
call hook.
第二章说到，调用挂勾实际上是重定位函数
[url=javascript:;]指针[/url]
。
因此，为了检测调用挂勾，你只需要简单地确定函数指针是否依然指向它原先的函数。比如，你可以通过检测mkdir对应的sysent结构体内的
sy_call 成员来确认mkdir系统调用是否已经被挂勾了。如果sy_call 成员指向了不是mkdir的任何其他函数，你知道它被挂勾了。
7.1.1 Finding System Call Hooks
7.1.1 检测系统调用挂勾
Listing
7-1 is a simple program designed to find (and uninstall) system call
hooks. This program is invoked with two parameters: the name of the

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有