Заинтересовала тема руткитов и как они работают. В интернете мало о них информации. Можете рассказать их структуру на каком языке их пишут и возможно ли его написать на python?
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Wat is Rootkit
Rootkits are a collection of tools or sets of applications that allow the administrator-level access to a computer or a network. These rootkits are fed into the host computer by a cracker (malicious hacker) either by exploiting a known vulnerability of the system or cracking the password. These rootkits hide their presence using some of the operating system's low layers, which makes them almost undetectable by standard anti-malware software. So the name implies where 'rootkit' is a compound of two words 'root' and 'kit' where root describes the most privileged user on the computer, and kit describes the set of tools to implement. The rootkit has a synonym with malware, which describes malware with root capabilities.
Root modes of windows operating systems
The kernel is the primary component of an operating system. It serves as an intermediate connector between the application and the hardware. The Windows kernel has been designed with flexibility in mind. The windows OS kernel code runs in the highest privileged mode in the system, the Kernel-mode. As because all software and programs don't require system resources and hardware manipulation, a lower privileged mode also exists, knows as User-mode, where this application runs.
Types of Rootkits
As in the Windows operating system, there are two modes a code can execute in: the unrestricted kernel mode and the private, restricted user mode. Rootkits can exist in both of these modes. Rootkits can be either legitimate or malicious; ie, they may get installed as a part of the legitimate application or through some Trojans via some suspicious email attachments. There are two types of windows rootkits, which are aptly called:
Rootkits are a collection of tools or sets of applications that allow the administrator-level access to a computer or a network. These rootkits are fed into the host computer by a cracker (malicious hacker) either by exploiting a known vulnerability of the system or cracking the password. These rootkits hide their presence using some of the operating system's low layers, which makes them almost undetectable by standard anti-malware software. So the name implies where 'rootkit' is a compound of two words 'root' and 'kit' where root describes the most privileged user on the computer, and kit describes the set of tools to implement. The rootkit has a synonym with malware, which describes malware with root capabilities.
Root modes of windows operating systems
The kernel is the primary component of an operating system. It serves as an intermediate connector between the application and the hardware. The Windows kernel has been designed with flexibility in mind. The windows OS kernel code runs in the highest privileged mode in the system, the Kernel-mode. As because all software and programs don't require system resources and hardware manipulation, a lower privileged mode also exists, knows as User-mode, where this application runs.
Types of Rootkits
As in the Windows operating system, there are two modes a code can execute in: the unrestricted kernel mode and the private, restricted user mode. Rootkits can exist in both of these modes. Rootkits can be either legitimate or malicious; ie, they may get installed as a part of the legitimate application or through some Trojans via some suspicious email attachments. There are two types of windows rootkits, which are aptly called:
- User-mode Rootkits : These rootkits function in user-mode or the low privileged level of the processor ring — the effect of these types of rootkits limits on the user level only via an affected application. If the rootkit wants to infect other applications, they'd need to do the same work in every application's memory space. They operate mostly by hijacking or hooking function calls.
- Kernel-mode Rootkits : operates on kernel-mode or highest privileged level, ie, in the kernel space. It makes rootkits powerful as they reside in the lowest operating system level, which means its controlling capability is strong over the hardware and the operating system. Most kernel-level rootkits take advantage of hooking execution, transmitting to kernel mode, and utilizing a loadable kernel module (LKM) to enhance kernel functionalities with rootkit code. It has a subtype also - the 'bootkit,' which infects the startup programs and codes like MBR (Master Boot Record), VBR (Volume Boot Record), and effects like boot sector viruses and creates malfunction at the time of booting.
Techniques Used by Rootkits
Rootkits use three different techniques that were coded in them. These are:- Hooking: is the most common function of al rootkits, which involves hooking the application's execution flow. They re-direct the normal flow of execution and point to its code. It is internally done when the API calls and the system function calls are intercepted.
- DLL Injection: is the mechanism of loading a dynamic link library (DLL) into a running process address space. In malware and rootkits, the DLL injection attack is a malicious one with a DLL file that exports malicious functions and patches or modifies the registry key. Since these malicious DLL can be loaded easily, so it can be injected into processes of USER32.DLL.
- Kernel Object Manipulation: is considered to be the most advanced technology used by malware writers. This type of attack contains kernel structure modification, bypassing the kernel object manager to avoid access checks. Most of the kernel's data structure gets modified as the kernel is itself under the siege of this attack. Although this technique is advanced-most, it isn't very easy too. Manipulating the kernel object needs the understanding of that object in detail also.
USE OF LOW LEVEL LANGUAGES
В интернете огромное количество информации на тему руткитов. Написаны целые книги.
Например, "Rootkits: Subverting the Windows Kernel", "The Rootkit Arsenal".
Гуглится информация по запросам :
rootkit site:blackhat.com - доклады
rootkit site:researchgate.net - исследования (чаще всего теория и реализации в виде полупоков)
rootkit site:github.com - исходники
и т.д.
Еще был сайт rootkit.com, можно найти архив и утечку на гите с исходниками.
Чаще под руткитом подразумевается обычный драйвер, следовательно структура будет определяться целевой ОС. Для Win - это знание WDM. Отличная книга на тему была написана Питером Вискаролой ("Windows NT Device Driver Development"), насколько мне известно, перевода на русский не было. Пишут чаще всего на С с ассемблерными вставками, допускаются плюсы.
Логику ядерного руткита придется реализовывать на нативном языке ОС.
P.S.
Советовать ничего не буду, но ИМХО руткиты - это не про кодинг, а про понимание архитектуры. Я бы начал с понимания работы операционных систем и железа. Без этого написать врятли что-то получится системное.
- Автор темы
- Добавить закладку
- #4
спасибо
Очень правильно сказано. Что касается руткитов, мы должны понять как операционная система работает вначале, код на втором плане.
Если мы говорим о Венде, то руткиты канеш уже давно не актуальны. А в свете всяческих ядерных защит, если тебе и удасться попасть в ядро, традиционные для руткитов методы просто уронят операционную систему в бсод. По старым книгам уже свой уютненький руткит не напишешь.
- Автор темы
- Добавить закладку
- #7
А какие сейчас новые актуальные типы вирусов?
Вирусы - это не тот термин, который ты подразумеваешь под ним. Ты хотел спросить какие новые актуальные типы малвари. Так вот, рансомваре - сейчас, видимо, самый актуальный тип малвари.