Rootkit_on_Linux_x86_v2.6.pdf下载

Index ---------  Rootkit In Brief  Rootkit based on LKM  How to get sys_call_table  Simple sys_call_table hook  Inline hook  Patching system_call  Abuse Debug Registers  Real Rootkit  Rootkit based non-LKM  Using /dev/kmem and kmalloc  Using /dev/mem and kmalloc  “A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system… Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. ”  Rootkit, *s, Virus, Malware?  Now, they often bind together, be called malware.  UserSpace Rootkit  Run in user space  Modify some files,libs,config files, and so on.  KernelSpace Rootkit  Run in kernel space  Modify kernel structures, hook system calls at the  lowest level  Hide Process  Hide File  Hide Network Connection  Back Door  Key Logger  Hijack  Hook  System call  sys_call_table  sysenter  IDT  Debug Register  How to get sys_call_table  Simple sys_call_table hook  Inline hook  Patching system_call  Abuse Debug Registers  Real Rootkit