¿Ü±¹µµ¼
ÄÄÇ»ÅÍ
ÀÎÅͳÝ/À¥ °³¹ß
2013³â 9¿ù 9ÀÏ ÀÌÈÄ ´©Àû¼öÄ¡ÀÔ´Ï´Ù.
Á¤°¡ |
39,000¿ø |
---|
39,000¿ø
1,170P (3%Àû¸³)
ÇÒÀÎÇýÅÃ | |
---|---|
Àû¸³ÇýÅà |
|
|
|
Ãß°¡ÇýÅÃ |
|
À̺¥Æ®/±âȹÀü
¿¬°üµµ¼
»óÇ°±Ç
ÀÌ»óÇ°ÀÇ ºÐ·ù
¸ñÂ÷
Preface | p. xv |
Acknowledgments | p. xix |
About the Authors | p. xxi |
About the Cover | p. xxiii |
Leave No Trace | p. 1 |
Understanding Attackers' Motives | p. 2 |
The Role of Stealth | p. 2 |
When Stealth Doesn't Matter | p. 3 |
What Is a Rootkit? | p. 4 |
Why Do Rootkits Exist? | p. 4 |
Remote Command and Control | p. 5 |
Software Eavesdropping | p. 5 |
Legitimate Uses of Rootkits | p. 6 |
How Long Have Rootkits Been Around? | p. 7 |
How Do Rootkits Work? | p. 8 |
Patching | p. 8 |
Easter Eggs | p. 9 |
Spyware Modifications | p. 9 |
Source-Code Modification | p. 9 |
The Legality of Software Modification | p. 10 |
What a Rootkit Is Not | p. 10 |
A Rootkit Is Not an Exploit | p. 11 |
A Rootkit Is Not a Virus | p. 11 |
Rootkits and Software Exploits | p. 13 |
Why Exploits Are Still a Problem | p. 15 |
Offensive Rootkit Technologies | p. 17 |
HIPS | p. 17 |
NIDS | p. 17 |
Bypassing the IDS/IPS | p. 18 |
Bypassing Forensic Tools | p. 18 |
Conclusion | p. 20 |
Subverting the Kernel | p. 21 |
Important Kernel Components | p. 22 |
Rootkit Design | p. 23 |
Introducing Code into the Kernel | p. 25 |
Building the Windows Device Driver | p. 26 |
The Device Driver Development Kit | p. 27 |
The Build Environments | p. 27 |
The Files | p. 27 |
Running the Build Utility | p. 29 |
The Unload Routine | p. 30 |
Loading and Unloading the Driver | p. 30 |
Logging the Debug Statements | p. 31 |
Fusion Rootkits: Bridging User and Kernel Modes | p. 32 |
I/O Request Packets | p. 33 |
Creating a File Handle | p. 37 |
Adding a Symbolic Link | p. 38 |
Loading the Rootkit | p. 39 |
The Quick-and-Dirty Way to Load a Driver | p. 40 |
The Right Way to Load a Driver | p. 41 |
Decompressing the .sys File from a Resource | p. 43 |
Surviving Reboot | p. 46 |
Conclusion | p. 47 |
The Hardware Connection | p. 49 |
Ring Zero | p. 50 |
Tables, Tables, and More Tables | p. 52 |
Memory Pages | p. 53 |
Memory Access Check Details | p. 53 |
Paging and Address Translation | p. 55 |
Page-Table Lookups | p. 56 |
The Page-Directory Entry | p. 58 |
The Page-Table Entry | p. 59 |
Read-Only Access to Some Important Tables | p. 59 |
Multiple Processes, Multiple Page Directories | p. 59 |
Processes and Threads | p. 60 |
The Memory Descriptor Tables | p. 61 |
The Global Descriptor Table | p. 61 |
The Local Descriptor Table | p. 62 |
Code Segments | p. 62 |
Call Gates | p. 62 |
The Interrupt Descriptor Table | p. 62 |
Other Types of Gates | p. 65 |
The System Service Dispatch Table | p. 66 |
The Control Registers | p. 66 |
Control Register Zero (CR0) | p. 66 |
Other Control Registers | p. 67 |
The EFlags Register | p. 67 |
Multiprocessor Systems | p. 68 |
Conclusion | p. 69 |
The Age-Old Art of Hooking | p. 71 |
Userland Hooks | p. 71 |
Import Address Table Hooking | p. 73 |
Inline Function Hooking | p. 74 |
Injecting a DLL into Userland Processes | p. 76 |
Kernel Hooks | p. 81 |
Hooking the System Service Descriptor Table | p. 82 |
Hooking the Interrupt Descriptor Table | p. 91 |
Hooking the Major I/O Request Packet Function Table in the Device Driver Object | p. 96 |
A Hybrid Hooking Approach | p. 106 |
Getting into a Process' Address Space | p. 106 |
Memory Space for Hooks | p. 111 |
Conclusion | p. 112 |
Runtime Patching | p. 113 |
Detour Patching | p. 114 |
Rerouting the Control Flow Using MigBot | p. 115 |
Checking for Function Bytes | p. 117 |
Keeping Track of the Overwritten Instructions | p. 118 |
Using NonPagedPool Memory | p. 121 |
Runtime Address Fixups | p. 121 |
Jump Templates | p. 125 |
The Interrupt Hook Example | p. 126 |
Variations on the Method | p. 133 |
Conclusion | p. 133 |
Layered Drivers | p. 135 |
A Keyboard Sniffer | p. 136 |
I/O Request Packet (IRP) and Stack Locations | p. 137 |
The KLOG Rootkit: A Walk-through | p. 140 |
File Filter Drivers | p. 153 |
Conclusion | p. 167 |
Direct Kernel Object Manipulation | p. 169 |
DKOM Benefits and Drawbacks | p. 169 |
Determining the Version of the Operating System | p. 171 |
User-Mode Self-Determination | p. 171 |
Kernel-Mode Self-Determination | p. 173 |
Querying the Operating System Version in the Registry | p. 174 |
Communicating with the Device Driver from Userland | p. 175 |
Hiding with DKOM | p. 179 |
Process Hiding | p. 180 |
Device-Driver Hiding | p. 185 |
Synchronization Issues | p. 189 |
Token Privilege and Group Elevation with DKOM | p. 193 |
Modifying a Process Token | p. 194 |
Faking out the Windows Event Viewer | p. 208 |
Conclusion | p. 210 |
Hardware Manipulation | p. 213 |
Why Hardware? | p. 215 |
Modifying the Firmware | p. 216 |
Accessing the Hardware | p. 217 |
Hardware Addresses | p. 217 |
Accessing Hardware Is Not Like Accessing RAM | p. 218 |
Timing Considerations | p. 219 |
The I/O Bus | p. 219 |
Accessing the BIOS | p. 221 |
Accessing PCI and PCMCIA Devices | p. 221 |
Example: Accessing the Keyboard Controller | p. 222 |
The 8259 Keyboard Controller | p. 222 |
Changing the LED Indicators | p. 222 |
Hard Reboot | p. 229 |
Keystroke Monitor | p. 229 |
How Low Can You Go? Microcode Update | p. 236 |
Conclusion | p. 237 |
Covert Channels | p. 239 |
Remote Command, Control, and Exfiltration of Data | p. 240 |
Disguised TCP/IP Protocols | p. 241 |
Beware of Traffic Patterns | p. 242 |
Don't Send Data "in the Clear" | p. 242 |
Use Time to Your Advantage | p. 243 |
Hide Under DNS Requests | p. 243 |
"Stego" on ASCII Payloads | p. 244 |
Use Other TCP/IP Channels | p. 245 |
Kernel TCP/IP Support for Your Rootkit Using TDI | p. 246 |
Build the Address Structure | p. 246 |
Create a Local Address Object | p. 248 |
Create a TDI Endpoint with Context | p. 252 |
Associate an Endpoint with a Local Address | p. 254 |
Connect to a Remote Server (Send the TCP Handshake) | p. 257 |
Send Data to a Remote Server | p. 259 |
Raw Network Manipulation | p. 262 |
Implementing Raw Sockets on Windows XP | p. 262 |
Binding to an Interface | p. 263 |
Sniffing with Raw Sockets | p. 264 |
Promiscuous Sniffing with Raw Sockets | p. 264 |
Sending Packets with Raw Sockets | p. 265 |
Forging the Source | p. 266 |
Bouncing Packets | p. 266 |
Kernel TCP/IP Support for Your Rootkit Using NDIS | p. 267 |
Registering the Protocol | p. 267 |
The Protocol Driver Callbacks | p. 273 |
Moving Whole Packets | p. 278 |
Host Emulation | p. 285 |
Creating Your MAC Address | p. 286 |
Handling ARP | p. 286 |
The IP Gateway | p. 289 |
Sending a Packet | p. 289 |
Conclusion | p. 293 |
Rootkit Detection | p. 295 |
Detecting Presence | p. 295 |
Guarding the Doors | p. 296 |
Scanning the "Rooms" | p. 298 |
Looking for Hooks | p. 298 |
Detecting Behavior | p. 308 |
Detecting Hidden Files and Registry Keys | p. 308 |
Detecting Hidden Processes | p. 309 |
Conclusion | p. 312 |
Index | p. 315 |
Table of Contents provided by Ingram. All Rights Reserved. |
Ã¥¼Ò°³
Rootkit.com founder reveals never-before-told offensive aspects of rootkit technology.
ÀúÀÚ¼Ò°³
»ý³â¿ùÀÏ | - |
---|
ÇØ´çÀÛ°¡¿¡ ´ëÇÑ ¼Ò°³°¡ ¾ø½À´Ï´Ù.
ÁÖ°£·©Å·
´õº¸±â»óÇ°Á¤º¸Á¦°ø°í½Ã
À̺¥Æ® ±âȹÀü
ÄÄÇ»ÅÍ ºÐ¾ß¿¡¼ ¸¹Àº ȸ¿øÀÌ ±¸¸ÅÇÑ Ã¥
ÆǸÅÀÚÁ¤º¸
»óÈ£ |
(ÁÖ)±³º¸¹®°í |
---|---|
´ëÇ¥ÀÚ¸í |
¾Èº´Çö |
»ç¾÷ÀÚµî·Ï¹øÈ£ |
102-81-11670 |
¿¬¶ôó |
1544-1900 |
ÀüÀÚ¿ìÆíÁÖ¼Ò |
callcenter@kyobobook.co.kr |
Åë½ÅÆǸž÷½Å°í¹øÈ£ |
01-0653 |
¿µ¾÷¼ÒÀçÁö |
¼¿ïƯº°½Ã Á¾·Î±¸ Á¾·Î 1(Á¾·Î1°¡,±³º¸ºôµù) |
±³È¯/ȯºÒ
¹ÝÇ°/±³È¯ ¹æ¹ý |
¡®¸¶ÀÌÆäÀÌÁö > Ãë¼Ò/¹ÝÇ°/±³È¯/ȯºÒ¡¯ ¿¡¼ ½Åû ¶Ç´Â 1:1 ¹®ÀÇ °Ô½ÃÆÇ ¹× °í°´¼¾ÅÍ(1577-2555)¿¡¼ ½Åû °¡´É |
---|---|
¹ÝÇ°/±³È¯°¡´É ±â°£ |
º¯½É ¹ÝÇ°ÀÇ °æ¿ì Ãâ°í¿Ï·á ÈÄ 6ÀÏ(¿µ¾÷ÀÏ ±âÁØ) À̳»±îÁö¸¸ °¡´É |
¹ÝÇ°/±³È¯ ºñ¿ë |
º¯½É ȤÀº ±¸¸ÅÂø¿À·Î ÀÎÇÑ ¹ÝÇ°/±³È¯Àº ¹Ý¼Û·á °í°´ ºÎ´ã |
¹ÝÇ°/±³È¯ ºÒ°¡ »çÀ¯ |
·¼ÒºñÀÚÀÇ Ã¥ÀÓ ÀÖ´Â »çÀ¯·Î »óÇ° µîÀÌ ¼Õ½Ç ¶Ç´Â ÈÑ¼ÕµÈ °æ¿ì ·¼ÒºñÀÚÀÇ »ç¿ë, Æ÷Àå °³ºÀ¿¡ ÀÇÇØ »óÇ° µîÀÇ °¡Ä¡°¡ ÇöÀúÈ÷ °¨¼ÒÇÑ °æ¿ì ·º¹Á¦°¡ °¡´ÉÇÑ »óÇ° µîÀÇ Æ÷ÀåÀ» ÈѼÕÇÑ °æ¿ì ·½Ã°£ÀÇ °æ°ú¿¡ ÀÇÇØ ÀçÆǸŰ¡ °ï¶õÇÑ Á¤µµ·Î °¡Ä¡°¡ ÇöÀúÈ÷ °¨¼ÒÇÑ °æ¿ì ·ÀüÀÚ»ó°Å·¡ µî¿¡¼ÀÇ ¼ÒºñÀÚº¸È£¿¡ °üÇÑ ¹ý·üÀÌ Á¤ÇÏ´Â ¼ÒºñÀÚ Ã»¾àöȸ Á¦ÇÑ ³»¿ë¿¡ ÇØ´çµÇ´Â °æ¿ì |
»óÇ° Ç°Àý |
°ø±Þ»ç(ÃâÆÇ»ç) Àç°í »çÁ¤¿¡ ÀÇÇØ Ç°Àý/Áö¿¬µÉ ¼ö ÀÖÀ½ |
¼ÒºñÀÚ ÇÇÇغ¸»ó |
·»óÇ°ÀÇ ºÒ·®¿¡ ÀÇÇÑ ±³È¯, A/S, ȯºÒ, Ç°Áúº¸Áõ ¹× ÇÇÇغ¸»ó µî¿¡ °üÇÑ »çÇ×Àº¼ÒºñÀÚºÐÀïÇØ°á ±âÁØ (°øÁ¤°Å·¡À§¿øȸ °í½Ã)¿¡ ÁØÇÏ¿© ó¸®µÊ ·´ë±Ý ȯºÒ ¹× ȯºÒÁö¿¬¿¡ µû¸¥ ¹è»ó±Ý Áö±Þ Á¶°Ç, ÀýÂ÷ µîÀº ÀüÀÚ»ó°Å·¡ µî¿¡¼ÀǼҺñÀÚ º¸È£¿¡ °üÇÑ ¹ý·ü¿¡ µû¶ó ó¸®ÇÔ |
(ÁÖ)ÀÎÅÍÆÄÅ©Ä¿¸Ó½º´Â ȸ¿ø´ÔµéÀÇ ¾ÈÀü°Å·¡¸¦ À§ÇØ ±¸¸Å±Ý¾×, °áÁ¦¼ö´Ü¿¡ »ó°ü¾øÀÌ (ÁÖ)ÀÎÅÍÆÄÅ©Ä¿¸Ó½º¸¦ ÅëÇÑ ¸ðµç °Å·¡¿¡ ´ëÇÏ¿©
(ÁÖ)KGÀ̴Ͻýº°¡ Á¦°øÇÏ´Â ±¸¸Å¾ÈÀü¼ºñ½º¸¦ Àû¿ëÇÏ°í ÀÖ½À´Ï´Ù.
¹è¼Û¾È³»
±³º¸¹®°í »óÇ°Àº Åùè·Î ¹è¼ÛµÇ¸ç, Ãâ°í¿Ï·á 1~2Àϳ» »óÇ°À» ¹Þ¾Æ º¸½Ç ¼ö ÀÖ½À´Ï´Ù.
Ãâ°í°¡´É ½Ã°£ÀÌ ¼·Î ´Ù¸¥ »óÇ°À» ÇÔ²² ÁÖ¹®ÇÒ °æ¿ì Ãâ°í°¡´É ½Ã°£ÀÌ °¡Àå ±ä »óÇ°À» ±âÁØÀ¸·Î ¹è¼ÛµË´Ï´Ù.
±ººÎ´ë, ±³µµ¼Ò µî ƯÁ¤±â°üÀº ¿ìü±¹ Åù踸 ¹è¼Û°¡´ÉÇÕ´Ï´Ù.
¹è¼Ûºñ´Â ¾÷ü ¹è¼Ûºñ Á¤Ã¥¿¡ µû¸¨´Ï´Ù.