http://xcon.xfocus.net/2008-11-18 第一天 14:30 - 15:30郑文彬 安全研究员,Windows驱动工程师,Rootkit/Anti-Rootkit爱好者,网络昵称:MJ0011 高级Bootkit-Tophet 本文揭示了一种新型的Bootkit技术Tophet,以及其第一代范本Tophet.a使用的一些新颖的技术。Tophet.a并非病毒或木马,只用来演示高级的穿透与隐身技术。Bootkit是更高级的Rootkit,该概念最早于2005年被eEye Digital公司在他们的“BootRoot"项目中提及,该项目通过感染MBR(磁盘主引记录)的方式,实现绕过内核检查和启动隐身。可以认为,所有在开机时比Windows内核更早加载,实现内核劫持的技术,都可以称之为Bootkit,例如后来的BIOS Rootkit , VBootkit,SMM Rootkit等。在现在MBR\Boot Sector\Nt Os loader都被各种HIPS监视软件、检查软件严防死守,而BIOS, SMM, ROM firmware 之类的启动位置又存在被锁定或通用性不够好的时候,如何简单、通用,又有效地进行Windows内核启动劫持呢?Tophet.a使用了一种新的方式:NtBootdd.sys。 同时,Tophet.a揭示了一些磁盘级的穿透、隐藏技术,可以穿透目前所有防御软件,进行安装,同时在目前任何Rootkit文件检测技术下隐身。 MJ0011 Security Researcher, Windows drivers Engineer, Interest in Rootkit/Anti-Rootkit, nickname:MJ0011 Advanced Bootkit-Tophet This presentation has revealed a new type of bootkit techonology - Tophet, and some of new technology used at itsfirst-generation model Tophet. Tophet.a is not a virus or Trojan Horse, only be demonstrated as advanced penetration and stealth technology.Bootkit is more advanced Rootkit, the concept mentioned as early as "BootRoot" project by eEye Digital company at 2005. The project used to infected MBR(master boot record) way to achieve bypass the kernel and start-up check. All the boot stuffs is booted earlier than the windows kernel load, to achieve kernel hijacked, all can be called Bootkit, for example, BIOS Rootkit, VBootkit, SMM Rootkit and so on.MBR \ Boot Sector \ Nt Os loader are all be monitored and defended by HIPS security software as so far, and like the start-up location as BIOS, SMM, ROM firmware is locked or lack of commonness. so how to hijack the windows kernel more effective, easier, common? Tophet.a use a new way: NtBootdd.sys. At the same time, Tophet.a explored several disk-level penetration,stealth technology, can penetrate all the current active defense software and to install, and also could be hidden under any current anti-Rootkit software's dectection.同时也期待着 Alert7 以及 Flashsky 等前辈的演讲!明天报名~ 今年一定要去感受一下。