Guide for CIOs, CFOs, and CISOs on why traditional security defenses are failing and how losing the security battle can hurt your business
Inside look at stopping zero-day attacks and advanced persistent threats with FireEye
Look into the changing nature of today's advanced targeted attacks and why traditional IT security is inadequate
Deep dive into spear phishing attacks and what is needed to combat this type of advanced threat
Insight into how FireEye is able to combat even the most sophisticated threats
Overview of the FireEye product family which protects against advanced cyber attacks
Intro
The second part of this series will examine the mechanisms that rootkits use in order to provide stealth, data collection, and protection for BOTs and other malware. Since this is a lengthy topic, this part will start with user-land techniques and then part 3 will discuss kernel techniques.
User-Mode Hooking Techniques
User-Mode hooking, or Application Programming Interface (API) hooking is the predominant method of stealth and obfuscation. The process works bascially in this manner:
Intro
This series of blog entries will examine the topic of rootkits , what they are, and how they work. Rootkits are a utility component to bots and other malware that provides stealth and protection for the malware. They are also the reason that makes malware very difficult to remove and sometimes detect. Therefore they are an important topic to explore as they apply to BOTs as well as other types of malware. This first part will examine what they are, why they exist and why they are a concern.
What are they?
Rootkits are not necessarily a new idea or technology, but like all software the techniques and goals have evolved over the years. Regarding strictly the terminology, a “root”-“kit” would be a collection or utilities, or a kit, which allows a user to obtain and manipulate root.
So, here’s an interesting trick I’ve been using, that I’ve never seen anyone mention before. One of the new features that AMD added to the x86 instruction set when they did the AMD64/x86-64, was that in “long mode” (64-bit mode), the encoding for the old 32-bit immediate offset addressing mode, is now a 32-bit offset from the current RIP, not from 0x00000000 like before. In English, this means that you don’t have to know the absolute address of something you want to reference, you only need to know how far away it is from the currently executing instruction [technically the next instruction].
So, let’s say you’re writing a fairly generic execve() shellcode. I’m going to assume that everyone here has read Aleph One’s paper on this, so I’m not going to repeat that here. (Gripe: What is it with all these shellcode tutorials, that are just slightly rewritten copies of “Smashing the Stack…”?)
This is what we want to do:
