Muutke küpsiste eelistusi

E-raamat: Rootkits and Bootkits

4.52/5 (83 hinnangut Goodreads-ist)
, ,
  • Formaat: EPUB+DRM
  • Ilmumisaeg: 07-May-2019
  • Kirjastus: No Starch Press,US
  • Keel: eng
  • ISBN-13: 9781593278830
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 36,04 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Rootkits and BootkitsSuurem pilt
  • Formaat: EPUB+DRM
  • Ilmumisaeg: 07-May-2019
  • Kirjastus: No Starch Press,US
  • Keel: eng
  • ISBN-13: 9781593278830
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Rootkits and Bootkits delivers a master class in malware evolution that will give you the techniques and tools necessary to counter sophisticated, advanced threats. We’re talking hard stuff – attacks buried deep in a machine’s boot process or UEFI firmware that keep malware analysts up late at night.

Security experts Alex Matrosov, Eugene Rodionov, and Sergey Bratus share the knowledge they’ve gained over years of professional research. With these field notes, you’ll trace malware evolution from rootkits like TDL3 to present day UEFI implants and examine how these malware infect the system, persist through reboot, and evade security software. While you inspect real malware under the microscope, you’ll learn:

-The details of the Windows boot process, from 32-bit to 64-bit and UEFI, and where it’s vulnerable.
-Boot process security mechanisms like Secure Boot, the kernel-mode signing policy include some details about recent technologies like Virtual Secure Mode (VSM) and Device Guard.
-The reverse engineering and forensic approaches for real malware discovered in the wild, including bootkits like Rovnix/Carberp, Gapz, TDL4 and the infamous rootkits TDL3 and Festi.
-How to perform boot process dynamic analysis using emulation and virtualization
-Modern BIOS-based rootkits and implants with directions for forensic analysis

Cybercrime syndicates and malicious actors keep pushing the envelope, writing ever more persistent and covert attacks. But the game is not lost. Explore the cutting edge of malware analysis with Rootkits and Bootkits.

Covers boot processes for Windows 32-bit and 64-bit operating systems.

Arvustused

This deep reference, jam-packed with code and technical information, will support an engineer or system administrator tasked with putting these vulnerabilities in their place.  Ben Rothke, Security Management



Alex Matrosov, Eugene Rodionov, and Sergey Bratus are experts in their field that have delivered a solid hands-on technical book. While enthralled with the stories from the trenches, I got flashbacks of my days of analyzing rootkits on SunOS and Solaris workstations about 20 years ago. It was a fun book to read.  Sven Dietrich, Cipher: the newsletter of the IEEE Computer Society's Technical Committee on Security and Privacy

"I enjoyed reading the book and learning about the malware, even if it was not particularly relevant to me, as 'I dont do Windows.' Still, theres more than enough here thats relevant to Linux users, as malware writers are now turning their attention to Linux servers."  Rik Farrow, USENIX ;login: magazine



"[ A] seminal book that explains how to understand and counter sophisticated, advanced threats buried deep in a machines boot process or UEFI firmware." Business Wire

Foreword xix
Rodrigo Rubira Branco
Acknowledgments xxiii
Abbreviations xxv
Introduction xxix
Why Read This Book? xxx
What's in the Book? xxx
Part I Rootkits xxxi
Part II Bootkits xxxi
Part III Defense and Forensic Techniques xxxiii
How to Read This Book xxxiii
PART I ROOTKITS
1 What's in a Rootkit: The TDL3 Case Study
3(10)
History of TDL3 Distribution in the Wild
4(1)
Infection Routine
5(2)
Controlling the Flow of Data
7(3)
Bring Your Own Linker
7(1)
How TDL3's Kernel-Mode Hooks Work
8(2)
The Hidden Filesystem
10(2)
Conclusion: TDL3 Meets Its Nemesis
12(1)
2 Festi Rootkit: The Most Advanced Spam and DDOS Bot
13(22)
The Case of Festi Botnet
14(1)
Dissecting the Rootkit Driver
15(11)
Festi Configuration Information for C&C Communication
16(1)
Festi's Object-Oriented Framework
17(1)
Plug-in Management
17(2)
Built-in Plug-ins
19(1)
Anti-Virtual Machine Techniques
20(2)
Antidebugging Techniques
22(1)
The Method for Hiding the Malicious Driver on Disk
22(3)
The Method for Protecting the Festi Registry Key
25(1)
The Festi Network Communication Protocol
26(1)
Initialization Phase
26(1)
Work Phase
26(1)
Bypassing Security and Forensics Software
27(3)
The Domain Generation Algorithm for C&C Failure
30(1)
Malicious Functionality
31(3)
The Spam Module
31(1)
The DDoS Engine
32(1)
Festi Proxy Plug-in
33(1)
Conclusion
34(1)
3 Observing Rootkit Infections
35(14)
Methods of Interception
36(7)
Intercepting System Events
36(1)
Intercepting System Calls
37(3)
Intercepting the File Operations
40(1)
Intercepting the Object Dispatcher
41(2)
Restoring the System Kernel
43(1)
The Great Rootkits Arms Race: A Nostalgic Note
44(2)
Conclusion
46(3)
PART II BOOTKITS
4 Evolution of the Bootkit
49(8)
The First Bootkits
50(1)
Boot Sector Infectors
50(1)
Elk Cloner and Load Runner
50(1)
The Brain Virus
51(1)
The Evolution of Bootkits
51(2)
The End of the BSI Era
51(1)
The Kernel-Mode Code Signing Policy
52(1)
The Rise of Secure Boot
53(1)
Modern Bootkits
53(2)
Conclusion
55(2)
5 Operating System Boot Process Essentials
57(12)
High-Level Overview of the Windows Boot Process
58(1)
The Legacy Boot Process
59(1)
The Windows Boot Process
60(8)
BIOS and the Preboot Environment
60(1)
The Master Boot Record
60(2)
The Volume Boot Record and Initial Program Loader
62(2)
The bootmgr Module and Boot Configuration Data
64(4)
Conclusion
68(1)
6 Boot Process Security
69(14)
The Early Launch Anti-Malware Module
70(3)
API Callback Routines
70(2)
How Bootkits Bypass ELAM
72(1)
Microsoft Kernel-Mode Code Signing Policy
73(5)
Kernel-Mode Drivers Subject to Integrity Checks
73(1)
Location of Driver Signatures
73(1)
The Legacy Code Integrity Weakness
74(2)
The ci.dll Module
76(1)
Defensive Changes in Windows 8
77(1)
Secure Boot Technology
78(1)
Virtualization-Based Security in Windows 10
79(3)
Second Level Address Translation
80(1)
Virtual Secure Mode and Device Guard
80(1)
Device Guard Limitations on Driver Development
81(1)
Conclusion
82(1)
7 Bootkit Infection Techniques
83(12)
MBR Infection Techniques
84(7)
MBR Code Modification: The TDL4 Infection Technique
84(6)
MBR Partition Table Modification
90(1)
VBR/IPL Infection Techniques
91(2)
IPL Modifications: Rovnix
91(1)
VBR Infection: Gapz
92(1)
Conclusion
93(2)
8 Static Analysis of a Bootkit Using IDA Pro
95(20)
Analyzing the Bootkit MBR
96(10)
Loading and Decrypting the MBR
96(5)
Analyzing the BIOS Disk Service
101(3)
Analyzing the Infected MBR's Partition Table
104(2)
VBR Analysis Techniques
106(2)
Analyzing the IPL
106(1)
Evaluating Other Bootkit Components
107(1)
Advanced IDA Pro Usage: Writing a Custom MBR Loader
108(5)
Understanding loader.hpp
109(1)
Implementing accept_file
109(1)
Implementing load_file
110(1)
Creating the Partition Table Structure
111(2)
Conclusion
113(1)
Exercises
113(2)
9 Bootkit Dynamic Analysis: Emulation and Visualization
115(18)
Emulation with Bochs
116(8)
Installing Bochs
117(1)
Creating a Bochs Environment
117(2)
Infecting the Disk Image
119(2)
Using the Bochs Internal Debugger
121(2)
Combining Bochs with IDA
123(1)
Virtualization with VMware Workstation
124(6)
Configuring the VMware Workstation
125(1)
Combining VMware GDB with IDA
126(4)
Microsoft Hyper-V and Oracle VirtualBox
130(1)
Conclusion
130(1)
Exercises
130(3)
10 An Evolution of MBR and VBR Infection Techniques: Olmasco
133(14)
The Dropper
134(4)
Dropper Resources
134(2)
Tracing Functionality for Future Development
136(1)
Antidebugging and Antiemulation Tricks
137(1)
The Bootkit Functionality
138(3)
Bootkit Infection Technique
138(2)
Boot Process of the Infected System
140(1)
The Rootkit Functionality
141(4)
Hooking the Hard Drive Device Object and Injecting the Payload
141(1)
Maintaining the Hidden Filesystem
141(3)
Implementing the Transport Driver Interface to Redirect Network Communication
144(1)
Conclusion
145(2)
11 IPL Bootkits: Rovnix and Carberp
147(30)
Rovnix's Evolution
148(1)
The Bootkit Architecture
149(1)
Infecting the System
150(2)
Post-Infection Boot Process and IPL
152(12)
Implementing the Polymorphic Decryptor
152(1)
Decrypting the Rovnix Bootloader with VMware and IDA Pro
153(6)
Taking Control by Patching the Windows Bootloader
159(4)
Loading the Malicious Kernel-Mode Driver
163(1)
Kernel-Mode Driver Functionality
164(3)
Injecting the Payload Module
164(2)
Stealth Self-Defense Mechanisms
166(1)
The Hidden Filesystem
167(2)
Formatting the Partition as a Virtual FAT System
168(1)
Encrypting the Hidden Filesystem
168(1)
Accessing the Hidden Filesystem
168(1)
The Hidden Communication Channel
169(2)
Case History: The Carberp Connection
171(4)
Development of Carberp
171(2)
Dropper Enhancements
173(1)
Leaked Source Code
174(1)
Conclusion
175(2)
12 Gapz: Advanced VBR Infection
177(30)
The Gapz Dropper
178(8)
Dropper Algorithm
180(1)
Dropper Analysis
180(1)
Bypassing HIPS
181(5)
Infecting the System with the Gapz Bootkit
186(5)
Reviewing the BIOS Parameter Block
186(2)
Infecting the VBR
188(1)
Loading the Malicious Kernel-Mode Driver
189(2)
Gapz Rootkit Functionality
191(2)
Hidden Storage
193(13)
Self-Defense Against Antimalware Software
194(2)
Payload Injection
196(5)
Payload Communication Interface
201(3)
Custom Network Protocol Stack
204(2)
Conclusion
206(1)
13 The Rise of MBR Ransomware
207(26)
A Brief History of Modern Ransomware
208(1)
Ransomware with Bootkit Functionality
209(1)
The Ransomware Modus Operandi
210(2)
Analyzing the Petya Ransomware
212(13)
Acquiring Administrator Privileges
212(1)
Infecting the Hard Drive (Step 1)
213(2)
Encrypting with the Malicious Bootloader Configuration Data
215(4)
Crashing the System
219(1)
Encrypting the MFT (Step 2)
220(4)
Wrapping Up: Final Thoughts on Petya
224(1)
Analyzing the Satana Ransomware
225(6)
The Satana Dropper
225(1)
The MBR Infection
226(1)
Dropper Debug Information
227(1)
The Satana Malicious MBR
228(2)
Wrapping Up: Final Thoughts on Satana
230(1)
Conclusion
231(2)
14 UEFI Boot vs. The MBR/VBR Boot Process
233(22)
The Unified Extensible Firmware Interface
234(1)
Differences Between the Legacy BIOS and UEFI Boot Processes
235(3)
The Boot Process Flow
235(1)
Disk Partitioning: MBR vs. GPT
235(2)
Other Differences
237(1)
GUID Partition Table Specifics
238(4)
How UEFI Firmware Works
242(11)
The UEFI Specification
243(2)
Inside the Operating System Loader
245(5)
The Windows Boot Loader
250(3)
Security Benefits of UEFI Firmware
253(1)
Conclusion
253(2)
15 Contemporary UEFI Bootkits
255(30)
Overview of Historical BIOS Threats
256(5)
WinCIH, the First Malware to Target BIOS
256(1)
Mebromi
257(1)
An Overview of Other Threats and Counters
258(3)
All Hardware Has Firmware
261(4)
UEFI Firmware Vulnerabilities
263(1)
(In)Effectiveness of Memory Protection Bits
263(1)
Checks for Protection Bits
264(1)
Ways to Infect the BIOS
265(4)
Modifying an Unsigned UEFI Option ROM
267(2)
Adding or Modifying a DXE Driver
269(1)
Understanding Rootkit Injection
269(6)
UEFI Rootkits in the Wild
275(8)
Hacking Team's Vector-EDK Rootkit
275(8)
Conclusion
283(2)
16 UEFI Firmware Vulnerabilities
285(34)
What Makes Firmware Vulnerable?
286(3)
Classifying UEFI Firmware Vulnerabilities
289(4)
Post-Exploitation Vulnerabilities
290(1)
Compromised Supply Chain Vulnerabilities
291(1)
Supply Chain Vulnerability Mitigation
292(1)
A History of UEFI Firmware Protections
293(6)
How BIOS Protections Work
294(1)
SPI Flash Protections and Their Vulnerabilities
294(3)
Risks Posed by an Unauthenticated BIOS Update
297(1)
BIOS Protection with Secure Boot
297(2)
Intel Boot Guard
299(3)
Intel Boot Guard Technology
299(1)
Vulnerabilities in Boot Guard
300(2)
Vulnerabilities in the SMM Modules
302(4)
Understanding SMM
302(1)
Exploiting SMI Handlers
302(4)
Vulnerabilities in the S3 Boot Script
306(5)
Understanding the S3 Boot Script
306(1)
Targeting Weaknesses of the S3 Boot Script
307(1)
Exploiting the S3 Boot Script Vulnerability
308(3)
Fixing the S3 Boot Script Vulnerability
311(1)
Vulnerabilities in the Intel Management Engine
311(4)
A History of ME Vulnerabilities
311(1)
ME Code Attacks
312(1)
Case Studies: Attacks on Intel AMT and BMC
312(3)
Conclusion
315(4)
PART III DEFENSE AND FORENSIC TECHNIQUES
17 How UEFI Secure Boot Works
319(32)
What Is Secure Boot?
320(1)
UEFI Secure Boot Implementation Details
320(15)
The Boot Sequence
321(1)
Executable Authentication with Digital Signatures
322(1)
The db Database
323(3)
The dbx Database
326(2)
Time-Based Authentication
328(1)
Secure Boot Keys
328(2)
UEFI Secure Boot: The Complete Picture
330(2)
Secure Boot Policy
332(2)
Protection Against Bootkits Using Secure Boot
334(1)
Attacking Secure Boot
335(3)
Patching PI Firmware to Disable Secure Boot
335(2)
Modifying the UEFI Variables to Bypass Security Checks
337(1)
Protecting Secure Boot with Verified and Measured Boot
338(1)
Verified Boot
339(1)
Measured Boot
339(1)
Intel BootGuard
339(7)
Finding the ACM
340(2)
Exploring FIT
342(1)
Configuring Intel BootGuard
343(3)
ARM Trusted Boot Board
346(4)
ARM Trust Zone
346(1)
ARM Boot Loaders
347(1)
Trusted Boot Flow
348(2)
Verified Boot vs. Firmware Rootkits
350(1)
Conclusion
350(1)
18 Approaches to Analyzing Hidden Filesystems
351(12)
Overview of Hidden Filesystems
352(1)
Retrieving Bootkit Data from a Hidden Filesystem
353(7)
Retrieving Data from an Offline System
353(1)
Reading Data on a Live System
353(1)
Hooking the Miniport Storage Driver
354(6)
Parsing the Hidden Filesystem Image
360(1)
The HiddenFsReader Tool
360(2)
Conclusion
362(1)
19 BIOS/UEFI Forensics: Firmware Acquisition and Analysis Approaches
363(28)
Limitations of Our Forensic Techniques
364(1)
Why Firmware Forensics Matter
364(1)
Attacking the Supply Chain
364(1)
Compromising BIOS Through Firmware Vulnerability
365(1)
Understanding Firmware Acquisition
365(2)
The Software Approach to Firmware Acquisition
367(7)
Locating PCI Configuration Space Registers
368(1)
Calculating SPI Configuration Register Addresses
369(1)
Using the SPI Registers
369(3)
Reading Data from the SPI Flash
372(1)
Considering the Drawbacks of the Software Approach
373(1)
The Hardware Approach to Firmware Acquisition
374(6)
Reviewing a Lenovo ThinkPad T540p Case Study
375(1)
Locating the SPI Flash Memory Chip
376(1)
Reading the SPI Flash with the FT2232 Mini Module
377(3)
Analyzing the Firmware Image with UEFITool
380(6)
Getting to Know the SPI Flash Regions
380(1)
Viewing SPI Flash Regions with UEFITool
381(2)
Analyzing the BIOS Region
383(3)
Analyzing the Firmware Image with Chipsec
386(4)
Getting to Know the Chipsec Architecture
387(1)
Analyzing Firmware with Chipsec Util
388(2)
Conclusion
390(1)
Index 391
Alex Matrosov is a leading offensive security researcher at NVIDIA. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers and is a frequent speaker at security conferences, including REcon, ZeroNights, Black Hat, DEFCON, and others. Alex received an award from Hex-Rays for his open source plug-in HexRaysCodeXplorer, supported since 2013 by the team at REhint.

Eugene Rodionov, PhD, is a Security Researcher at Intel working in BIOS security for Client Platforms. Before that, Rodionov ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include firmware security, kernel-mode programming, anti-rootkit technologies, and reverse engineering. Rodionov has spoken at security conferences, such as Black Hat, REcon, ZeroNights, and CARO, and has co-authored numerous research papers.

Sergey Bratus is a Research Associate Professor in the Computer Science Department at Dartmouth College. He has previously worked at BBN Technologies on Natural Language Processing research. Bratus is interested in all aspects of Unix security, in particular Linux kernel security, and detection and reverse engineering of Linux malware.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97815932788306e.html
Märksõnad: