Rootkit is the most common type of Trojan backdoor tool under the Linux platform, it mainly by replacing the system files to achieve the purpose of intrusion and concealment, this trojan than ordinary Trojan backdoor more dangerous and covert, ordinary detection tools and inspection means difficult to find this Trojan.Generally divided into file-level and kernel-level:FILE-level rootkit is usually through a
[Introduction]
PatchFinder is a well-designed program based on the EPA (Execution Path Analysis) technology to detect Rootkit that intrude into the kernel. Appendix 1 and 2 let you know how it works. This article provides a way to bypass the EPA.
[Method]
The EPA uses the 0x01 entry of the Interrupt Descriptor Table (IDT) based on the Intel processor's single-step mode. To prevent Rootkit from modifying thi
This type of virus is characterized by two or more virus files, one executable type file with the extension exe, and one driver type file with the extension sys. EXE executable file for the traditional worm module, responsible for the virus generation, infection, transmission, destruction and other tasks; sys file is a rootkit module.
Rootkit is also a kind of Trojan horse, but it is more hidden than our c
-------- Core Rootkit Technology-use nt! _ MDL breaks through the KiServiceTable read-only access restriction Part II, _ mdlkiservicetable
Bytes -------------------------------------------------------------------------------------------
At the beginning of this article, I entered the topic. Because MDL is involved, related background knowledge is required:
Nt! _ MDL represents a "memory descriptor linked list" structure, which describes the user or k
Core Rootkit Technology-use nt! _ MDL (memory descriptor linked list) breaks through the SSDT (System Service Descriptor Table) read-only access restriction Part I, _ mdlssdt
--------------------------------------------------------
A basic requirement for rootkit and malware development is to hook the system service Descriptor Table (SSDT) of the Windows Kernel
Replace specific system service functions wi
The above is an article about rootkit that can be seen everywhere on the Internet. With a dialectical attitude, I read about things that I had learned N years ago. There are also some things worth learning from.
Because getdents64 () is a system call, to intervene in it, it can only be in the kernel, through the driver method, in Linux is the LKM method. There are currently two ways to "intervene ".
1. getdents64 call item of the Hook system call tabl
DDRK is a kernel-level rootkit that combines the advantages of shv and adore-ng in Linux.
DDRK files:
Netstat # Replace netstat in the system, read the port from the ssh configuration file, and hide it
Rk. ko # kernel module to hide files and processes
Setup # rootkit Installation File
Tty # ava Tool
Bin. tgz
--- Ttymon
--- Sshd. tgz
---. Sh
--- Shdcf2 # sshd configuration file
--- Shhk
--- Shhk. pub
--- Sh
XSS Rootkit: http://www.bkjia.com/Article/201110/107620.html
However, I still don't feel comfortable. I don't need to lose some practical things, so it's easy for others to understand. So I have to take a website for practical testing.
I took a DISCUZ non-persistent XSS test, and IE8 would intercept it. Therefore, we need to disable the XSS filter to succeed. In addition, I used Netease's website for testing. Please forgive me.
1. Access the URL below
Trojan. win32.killav, Trojan. psw. win32.qqpass, rootkit. win32.mnless, etc.
Original endurer1st-04-03
The website page contains code:/------/
#1 hxxp: // www. t **-T ** o * u *. CN/ping.html contains the Code:/------/
#1.1 hxxp: // ** A.1 ** 5 * 8d * m **. com/b3.htm? 001 contains code:/------/
#1.1.1 hxxp: // * B *. 1 ** 5 * 8d * m **. com/One/OK. js
Use the rmoc3260.dll (CLSID: 2f542a2e-edc9-4bf7-8cb1-87c9919f7f93) Vulnerability of RealPlayer to do
Implementation of XSS Rootkit www.2cto.com
We know that the first thing to do with the core code of popular PHP Web programs today is to simulate register_globals and directly register variables through GPC to facilitate the operation of the entire program. This article focuses on our demo in this scenario. php can not only GET parameters, but also accept COOKIE data, and COOKIE is the persistent data of the client browser. If the COOKIE is set throu
Title: Windows rootkit Link
Maintenance: Small four Link: http://www.opencjk.org /~ SCZ/200402170928.txtCreation:Updated:
--If you have recommended, please send a letter to the --
[1] avoiding Windows rootkit detection/bypassing patchfinder 2-Edgar Barbosa []Http://www.geocities.com/embarbosa/bypass/bypassEPA.pdf
[2] toctou with NT System Service hookingHttp://www.securityfocus.com/archive/1/348570
Toctou
The process of disk analysis is the process of extracting a disk image file or a physical consistent copy of a compromised computer into a set of unknown binaries, which contain malicious software that requires forensics, through a series of complex processes. And the rootkit is going to do exactly the opposite, destroying the forensics process; we have two strategies to do this, one is the scorched-earth strategy-flooding the system with a lot of gar
Rootkit. win32.ressdt. O/Trojan-Downloader.Win32.Agent.mjp Analysis
Original endurer2008-04-10 1st
It is something that Xialu has published on its official website.
Rootkit. win32.ressdt. O/Trojan-Downloader.Win32.AgentHttp://endurer.bokee.com/6681893.htmlHttp://blog.csdn.net/Purpleendurer/archive/2008/04/09/2271747.aspxHttp://blog.sina.com.cn/s/blog_49926d910100926n.html
File Description: D:/test/svcos.ex
it released EXE file runtime, everything is exposed: a svchost.exe service process executed a ad1.exe, there is more obvious than this?
Svchost's group information is located in the registry's "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" project, This is the svchost to load the DLL, and if the user finds a strange grouping message, it's better to be wary.
The summit of Hidden Technology development: Rootkit Trojan Horse
also lists a kernel module [gcc-c scprint. c-I/usr/src/'uname-R'/include/] using this module to print the system.Call address, and automatically write syslog data, so that real-time comparison can be performed.In most cases, the kernel is changed only after the system initialization, and the change occurs when the module where the rootkit is loaded orInsert the on-the-fly kernel patch for direct read/write/kmem. In general,
.
In most cases, the kernel is changed only after system initialization, the change occurs after the module loaded with rootkit or the on-the-fly kernel patch implanted with direct read/dev/kmem. In general, rootkit does not change vmlinuz and system. map these two files, so print the symbolic addresses in these two files to know the original system call address, the system call address currently running in
Affected Versions:
DEDECMS full version
Vulnerability description:
The gotopage variable in the DEDECMS background login template does not validate incoming data effectively, resulting in an XSS vulnerability.
\ Dede \ templets \ login.htm
About 65 lines
Due to the global variable registration mechanism of DEDECMS, the content of this variable can be overwritten by the COOKIE variable, and the COOKIE can be stored persistently on the client, resulting inXSS
Trojan rootkit. win32.mnless, Trojan. win32.edog, etc.
EndurerOriginal2008-02-021Version
Ie lost response after opening the website ......
Code found at the bottom of the homepage:/------/
1 hxxp: // 8 ** 8.8*812 ** 15.com/88.htmCode included:/------/
1.1 hxxp: // 8 ** 8.8*812 ** 15.com/in.htmCode included:/------/
1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/6620.38.htmCode included:/------/
1.1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/htm.html
Forcibly recommend Firefox adware. win32.admoke. FG, rootkit. win32.mnless. ft, etc.
EndurerOriginal1st-
A few days ago, a netizen said that Kingsoft drug overlord in his computer recently reported a virus every day, And ie appeared
Encountered sqmapi32.dll, kvmxfma. dll, rarjdpi. dll, Google. dll, a0b1. dll, etc.Http://blog.csdn.net/Purpleendurer/archive/2007/11/07/1871409.aspxHttp://endurer.bokee.com/6522203.htmlHttp://blog.nnsky.com/blog_view_22283
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.