链接: http://www.opencjk.org/~scz/200402170928.txt
创建: 2004-02-17 09:28
更新: 2006-03-14 10:59
--
如有推荐,请发信至<scz@nsfocus.com>多多指教,谢谢。
--
[ 1] Avoiding Windows Rootkit Detection/Bypassing PatchFinder 2 - Edgar Barbosa[2004-02-17]
http://www.geocities.com/embarbosa/bypass/bypassEPA.pdf
[ 2] TOCTOU with NT System Service Hooking
http://www.securityfocus.com/archive/1/348570
TOCTOU with NT System Service Hooking Bug Demo
http://www.securesize.com/Resources/hookdemo.shtml
[ 3] Hooking Windows NT System Services
http://www.windowsitlibrary.com/content/356/06/1.html
http://www.windowsitlibrary.com/content/356/06/2.html
[ 4] NTIllusion: A portable Win32 userland rootkit - Kdm <Kodmaker@syshell.org>
http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt
[ 5] Kernel-mode backdoors for Windows NT - firew0rker <firew0rker@nteam.ru>
http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt
[ 6] Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept) - Tan Chew Keong[2004-05-23]
http://www.security.org.sg/code/kproccheck.html
http://www.security.org.sg/code/KProcCheck-0.1.zip
http://www.security.org.sg/code/KProcCheck-0.2beta1.zip
[ 7] port/connection hiding - akcom[2004-06-18]
http://www.rootkit.com/newsread_print.php?newsid=143
[ 8] Process Invincibility - metro_mystery[2004-06-13]
http://www.rootkit.com/newsread_print.php?newsid=139
[ 9] KCode Patching - hoglund[2004-06-06]
http://www.rootkit.com/newsread_print.php?newsid=152
http://www.rootkit.com/vault/hoglund/migbot.zip
[10] Hiding Window Handles through Shadow Table Hooking on Windows XP - metro_mystery[2004-06-12]
http://www.rootkit.com/newsread_print.php?newsid=137
[11] hooking functions not exported by ntoskrnl - akcom[2004-07-02]
http://www.rootkit.com/newsread_print.php?newsid=151
[12] A method of get the Address of PsLoadedModuleList - stoneclever[2004-06-10]
http://www.rootkit.com/newsread_print.php?newsid=135
[13] Fun with Kernel Structures (Plus FU all over again) - fuzen_op[2004-06-08]
http://www.rootkit.com/newsread_print.php?newsid=134
http://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip
[14] Getting Kernel Variables from KdVersionBlock, Part 2 - ionescu007[2004-07-11]
http://www.rootkit.com/newsread_print.php?newsid=153
[15] Byepass Scheduler List Process Detection - SoBeIt <kinvis@hotmail.com> [2004-04-25]
http://www.rootkit.com/newsread_print.php?newsid=117
[16] Detecting Hidden Processes by Hooking the SwapContext Function - kkasslin[2004-08-03]
http://www.rootkit.com/newsread_print.php?newsid=170
[17] Loading Rootkit using SystemLoadAndCallImage - Greg Hoglund <hoglund@ieway.com> [2000-08-29]
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0114.html
http://seclists.org/lists/bugtraq/2000/Aug/0408.html
http://marc.theaimsgroup.com/?l=ntbugtraq&m=96766147118874&w=2
http://www.securityfocus.com/archive/1/79379/2002-11-30/2002-12-06/0
[18] A *REAL* NT Rootkit, patching the NT Kernel - Greg Hoglund <hoglund@ieway.com> [1999-09-09]
http://www.phrack.org/phrack/55/P55-05
[19] Win2K/XP SDT Restore 0.2 (Proof-Of-Concept) - Tan Chew Keong[2004-10-01]
http://www.security.org.sg/code/sdtrestore.html
http://www.security.org.sg/code/SDTrestore-0.1.zip
http://www.security.org.sg/code/SDTrestore-0.2.zip
Disabling Sebek Win32 Client by Direct Service Table Restoration - Tan Chew Keong[2004-07-17]
http://www.security.org.sg/vuln/sebek215-2.html
[20] Sebek is a tool to capture the attacker's activities on a honeypot
http://www.honeynet.org/tools/sebek/
Sebek client for Win2000 and WinXP
http://www.honeynet.org/tools/sebek/sebek-win32-2.1.5-src.zip
[21] Advanced Windows 2000 Rootkits Detection - Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/rutkowski-antirootkit.zip
[22] Windows Key Logging and Counter-Measures - Chew Keong TAN <chewkeong@hotmail.com>
http://pachome2.pacific.net.sg/~chewkeong/keylogr.pdf
[23] Windows NT System-Call Hooking/Dr. Dobb's Journal January 1997 - Mark Russinovich <mark@osr.com> and Bryce Cogswell <cogswell@cs.uoregon.edu>
http://www.exetools.com/forum/showthread.php?p=23296
http://www.exetools.com/forum/attachment.php?attachmentid=1751(9701.rar 253.6KB)
(three post minimum required)
[24] Kernel Filter Driver Example & Article(非常不错)
Designing A Kernel Key Logger/A Filter Driver Tutorial - Clandestiny <clandestiny@despammed.com> [2004-09-01]
http://www.woodmann.net/forum/showthread.php?t=6312
http://www.woodmann.net/forum/attachment.php?attachmentid=1084(Klog 1.0.zip 139.8KB)
[25] Hide'n'Seek? Anatomy of Stealth Malware
http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-erdelyi/bh-eu-04-erdelyi-paper.pdf
(对rootkit隐藏手段进行概述性介绍,没有太多意义)
[26] A more stable way to locate real KiServiceTable - 90210[2004-08-12]
http://www.rootkit.com/newsread_print.php?newsid=176
[27] Bypassing SDT Restore tool - Opc0de[2004-10-11]
http://www.rootkit.com/newsread_print.php?newsid=200
http://www.rootkit.com/vault/Opc0de/Bypassing_SDT_Restore.zip
[28] Writing Trojans that bypass Windows XP Service Pack 2 Firewall - <americanidiot@hushmail.com> [2004-10-12]
http://marc.theaimsgroup.com/?l=full-disclosure&m=109759186016337&w=2
[29] Concepts for the Stealth Windows Rootkit - Joanna Rutkowska <joanna@mailsnare.net> [2003-09]
http://invisiblethings.org/papers/chameleon_concepts.pdf
[30] Rootkits Detection on Windows Systems - Joanna Rutkowska <joanna@invisiblethings.org> [2004-10]
http://invisiblethings.org/papers/ITUnderground2004_Win_rtks_detection.ppt
[31] OMCD - Open Methodology for Compromise Detection by Joanna Rutkowska <omcd@isecom.org>
http://www.isecom.org/projects/omcd.shtml
http://isecom.securenetltd.com/omcs.outline.v.0.1.pdf
[32] Windows rootkits of 2005 - James Butler <james.butler@hbgary.com>, Sherri Sparks <ssparks@longwood.cs.ucf.edu> [2005-11-04]
http://www.securityfocus.com/infocus/1850
http://www.securityfocus.com/infocus/1851
http://www.securityfocus.com/infocus/1854
http://www.securityfocus.com/print/infocus/1850
http://www.securityfocus.com/print/infocus/1851
http://www.securityfocus.com/print/infocus/1854
(xuna推荐)
[33] Implementing malware with virtual machines - Samuel T. King, Peter M. Chen
http://www.eecs.umich.edu/Rio/papers/king06.pdf
how to detect VMM using (almost) one CPU instruction - Joanna Rutkowska <joanna@invisiblethings.org>
http://invisiblethings.org/tools/redpill.c
http://invisiblethings.org/tools/redpill.exe