Проведение криминалистической экспертизы и анализа...
TRANSCRIPT
![Page 1: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/1.jpg)
Проведение криминалистической экспертизы и анализа руткит-программ на примере Win32/Olmarik (TDL4)
Александр Матросов
Евгений Родионов
![Page 2: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/2.jpg)
Who we are?
malware researchers at ESET- rootkits analysis- developing cleaning tools- tracking new rootkit
techniques- research cybercrime groups
http://www.joineset.com/
![Page 3: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/3.jpg)
План мастер-класса
Эволюция современных руткит-программ
Этапы установки на x86/x64 Буткит и обход проверки подписи Отладка буткита на эмуляторе Bochs Хуки в режиме ядра Отладка с использованием WinDbg Файловая система TDL4
TdlFsReader, как инструмент криминалистической экспертизы
![Page 4: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/4.jpg)
Evolution of rootkits
![Page 5: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/5.jpg)
Dropper
Evolution of rootkits functionality
bypass HIPS and AV
x86x64
privilege escalation
install rootkit driver
Rootkit
self-defense
surviving reboot
injecting payload
Rootkit
Rootkit
self-defense
Surviving reboot
injecting payload
bypass signature check
bypass MS PatchGuard
User
mod
e
Kern
el m
od
e
![Page 6: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/6.jpg)
64-bit OS rootkit
o Kernel-Mode Code Signing Policy
It is difficult to load unsigned kernel-mode
driver
o Kernel-Mode Patch Protection (Patch Guard):
SSDT (System Service Dispatch Table)
IDT (Interrupt Descriptor Table)
GDT ( Global Descriptor Table)
MSRs (Model Specific Registers)
![Page 7: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/7.jpg)
TDL3/TDL3+ TDL4
Kernel-mode code representation
Base independent piece of code in hidden file system
PE image in the hidden file system
Surviving after reboot
Infecting disk miniport/random kernel-mode driver
Infecting MBR of the disk
Self-defense Kernel-mode hooks, registry monitoring
Kernel-mode hooks, MBR monitoring
Injecting payload into processes in the system
tdlcmd.dll cmd.dll/cmd64.dll
x64 support Complexity
Evolution of TDL rootkits
![Page 8: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/8.jpg)
Evolution of TDL rootkits
TDL3/TDL3+ TDL4
Bypassing HIPS AddPrintProcessorAddPrintProvidor
AddPrintProvidor, ZwConnectPort
Privilege Escalation MS10-092
Installation mechanism
By loading kernel-mode driver
By loading kernel-mode driver
Overwriting MBR of the disk
Number of installed modules
4 10
![Page 9: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/9.jpg)
Installation x86/x64
![Page 10: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/10.jpg)
![Page 11: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/11.jpg)
Installation stages
exploit payload dropper rootkit
![Page 12: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/12.jpg)
Packed usermode dropper
Unpacked usermode dropper
Kernel mode driver
cmd.dll/cmd64.dll
cfg.ini
drv32/drv64
bckfg.tmp
The module to inject into processes
Configuration file
The body of the rootkit
Temporary file
Dropper layouts
![Page 13: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/13.jpg)
Dropped modules
Description
mbr original contents of the infected hard drive boot sector
ldr16 16-bit real-mode loader code
ldr32 fake kdcom.dll for x86 systems
ldr64 fake kdcom.dll for x64 systems
drv32 the main bootkit driver for x86 systems
drv64 the main bootkit driver for x64 systems
cmd.dll payload to inject into 32-bit processes
cmd64.dll payload to inject into 64-bit processes
cfg.ini configuration information
bckfg.tmp encrypted list of C&C URLs
Dropped modules
![Page 14: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/14.jpg)
Installation x86
AdjustSeLoadDriver
privilegefail success
Copy itself intoPrintProcessor
director
Check OSversion
Copy itself into%TMP% directory
Set IMAGE_FILE_DLLflag in the PE header
CallDeletePrintProvidorW
API
CallAddPrintProvidorW
API
Vista/Win7
ExploitationMS10-092
successfail
Createmanifest requesting
admin privilege
CallShellExecute
Failinstall
WinXP
![Page 15: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/15.jpg)
Installation x64
Write FS image,patch MBR and Adjust
SE_SHUTDOWN_PRIVILEGEfail success
Copy itself into%TMP% directory
ExploitationMS10-092success
fail
Createmanifest requesting
admin privilege
CallZwRaiseHardError
to create BSOD
Prepare hidden FS image
Report to C&C
Restart Dropper
CallShellExecute
fail
success
![Page 16: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/16.jpg)
Bootkit and bypassing driver signature check
![Page 17: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/17.jpg)
Types of integrity checks
o PnP Device Installation Signing
Requirements
o Kernel-Mode Code Signing Policy
Enforced on 64-bit version of Windows
Vista and later versions
![Page 18: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/18.jpg)
Kernel-mode Code Signing Policy Enforcement
64-bit Windows Vista and later
32-bit Windows Vista and later
Boot-start driver Not boot-start PnP driver
Not boot-start, non-PnP driver
(except stream
protected media drivers)
![Page 19: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/19.jpg)
Load MBR
Load VBR
Load ntldr
Load kernel and boot
start drivers
real mode
real mode
real mode/protected mode
Load MBR
Load VBR
Load bootmgr
Load winload.exe or winresume.exe
real mode
real mode
real mode/protected mode
Load kernel and boot
start drivers
real mode/protected mode
Boot Process of pre Windows Vista OS
Boot Process of post Windows Vista OS
Boot process of Windows OS
![Page 20: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/20.jpg)
Bootmgr
OS loader
OS kernel
Not boot-start kernel-mode drivers
OS kernel dependencies
Boot-startDrivers
Code integrity check
![Page 21: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/21.jpg)
BCD Object
Inheritable
Application
Firmware boot manager
Windows boot manager
Windows boot loader
Windows memory tester
Windows resume app
Ntldr
Boot sector
Device
BCD Element
Library
Application
Device
Boot Configuration Data (BCD)
![Page 22: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/22.jpg)
BCD
BCD Object1
BCD Element1
BCD Element2
BCD Object2
BCD Element3
BCD Example
![Page 23: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/23.jpg)
BCD Elements controlling KMCSP (before KB2506014)
BCD option Description
BcdLibraryBoolean_DisableIntegrityCheck(0x16000020)
disables kernel-mode code integrity checks
BcdOSLoaderBoolean_WinPEMode (0x26000022)
instructs kernel to be loaded in preinstallation mode, disabling kernel-mode code integrity checks as a byproduct
BcdLibraryBoolean_AllowPrereleaseSignatures(0x16000049)
enables test signing
![Page 24: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/24.jpg)
Subverting KMCSP
o Abusing vulnerable signed legitimate kernel-
mode driver
o Switch off kernel-mode code signing checks
by altering BCD data:
abuse WinPe Mode
disable signing check
patch Bootmgr and OS loader
![Page 25: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/25.jpg)
Abusing Win PE mode: TDL4 modules
Module name Descriptionmbr (infected) infected MBR loads ldr16 module and restores
original MBR in memory
ldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64
ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address space
ldr64 implementation of ldr32 module functionality for 64-bit OS
int 13h – service provided by BIOS to communicate to IDE HDD controller
![Page 26: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/26.jpg)
Load infected MBRInfected mbr is
loadedand executed
Load “ldr16” from hidden file system
Hook BIOS int 13h handler and
restore original MBR
“ldr16” is loaded
and executed
Load VBR
Original mbr isloaded
and executed
Load bootmgr
VPB is loaded and executed
read bcd
Bootmgr is loaded and executed
Load winload.exe
Substitute EmsEnabled
option with WinPe
Load ntoskrnl.exe, hal.dll,kdcom.dll,bootvid.dll ant etc
distrort /MININT option
Call KdDebufferInitialize1
from loaded kdcom.dll
substitute kdcom.dll
with”ldr32” or “ldr64"
Continue kernel initialization
Load ”drv32” or “drv64"
Load bootmgr
Abusing Win PE mode: workflow
![Page 27: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/27.jpg)
MS Patch (KB2506014)
o BcdOsLoaderBoolean_WinPEMode no longer
influence kernel-mode
o Size of the export directory of kdcom.dllhas
been changed
![Page 28: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/28.jpg)
Bypassing KMCSP: another attempt
Patch bootmgr and OS loader (winload.exe) to
disable KMCSP
![Page 29: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/29.jpg)
Bypassing KMCSP: Result
Bootmgr fails to verify OS loader’s integrity
MS10-015kill TDL3
![Page 30: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/30.jpg)
Debugging bootkit with Bochs
![Page 31: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/31.jpg)
Bochs support starting from IDA 5.5
![Page 32: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/32.jpg)
•DEMO
![Page 33: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/33.jpg)
Kernel-mode hooks
![Page 34: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/34.jpg)
Disk FDO(Partition 0)
Disk Lower Filter
Disk Upper Filter
Hard drive port/miniport driver object
Hard driveLower Filter driver object
Hard driveUpper Filter driver object
Disk classdriver object
Disk PDO(Partition 1)
Disk PDO(Partition 1)
FakeDisk PDO
TDL4 driver object
“Real”Disk PDO
Stolen Objects
Before Infection
After Infection
Stealing Miniport Driver Object
![Page 35: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/35.jpg)
Driver ObjectBootkit driver
DriverObject
Device Object
DeviceObject
Device Object
Device Object
...DriverObject DriverObject
Device Object
DriverObject
NextDevice
NextDevice
Driver ObjectMiniport driver
...StartIo
...
Device Object
Device Object
Real (Stolen) Device Object
Fake Duplicate Device Object
Stealing Miniport Device Object
![Page 36: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/36.jpg)
SCSI request
block
Bootkit driver hooks
Bootkit driver:call corresponding miniport’s handler
Bootkit driver:Counterfeit data and
complete request
OtherwiseInfected MBR or hidden file system is read/writtern
Filtering Disk Read/Write Requests
o Filtered requests: IOCTL_ATA_PASS_THROUGH_DIRECT IOCTL_ATA_PASS_THROUGH; IRP_MJ_INTERNAL_DEVICE_CONTROL
o To protect: Infected MBR; Hidden file system from being read or overwritten
![Page 37: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/37.jpg)
Debugging bootkit with WinDbg
![Page 38: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/38.jpg)
WinDbgKDCOM.DLLNTOSKRNL
KD_RECV_CODE_OK
Data packet
Data Packet
KdDebuggerInitialize
KdSendPacket
KdReceivePacket
RETURN_STATUS
WinDbg and kdcom.dll
RETURN_CONTROL
![Page 39: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/39.jpg)
original call
fake call
TDL4 and kdcom.dll
![Page 40: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/40.jpg)
TDL4 and kdcom.dll
original export table fake export table
![Page 41: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/41.jpg)
•DEMO
![Page 42: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/42.jpg)
kd> !object \Device\Harddisk0 Object: e1022d10 Type: (8a5e54f0) Directory ObjectHeader: e1022cf8 (old version) HandleCount: 1 PointerCount: 8 Directory Object: e10116f0 Name: Harddisk0 Hash Address Type Name ---- ------- ---- ---- 21 8a5c9ab8 Device DR0 24 8a5c8c68 Device DP(1)0x7e00-0xffea9600+1 33 e101abe8 SymbolicLink Partition0 8a5c88a0 Device DP(2)0x1748a3fc00-0x1bf0797a00+2 34 e1011258 SymbolicLink Partition1 35 e101a078 SymbolicLink Partition2
![Page 43: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/43.jpg)
kd> !devobj \Device\Harddisk0\DR0 Device object (8a5c9ab8) is for: DR0 \Driver\Disk DriverObject 8a5cd730 Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050 Vpb 8a5dafa8 Dacl e101723c DevExt 8a5c9b70 DevObjExt 8a5c9fd0 Dope 8a59ff98 ExtensionFlags (0000000000) AttachedDevice (Upper) 8a5c9890 \Driver\PartMgr AttachedTo (Lower) 89fd902889fd9028: is not a device object
![Page 44: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/44.jpg)
kd> !devstack 8a5c9ab8 !DevObj !DrvObj !DevExt ObjectName 8a5c9890 \Driver\PartMgr 8a5c9948 > 8a5c9ab8 \Driver\Disk 8a5c9b70 DR0 Invalid type for DeviceObject 0x89fd9028
![Page 45: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/45.jpg)
kd> dt _DEVICE_OBJECT 0x89fd9028 ntdll!_DEVICE_OBJECT +0x000 Type : 0n0 +0x002 Size : 0xfb8 +0x004 ReferenceCount : 0n0 +0x008 DriverObject : 0x899574f0 _DRIVER_OBJECT +0x00c NextDevice : 0x8a5ca028 _DEVICE_OBJECT +0x010 AttachedDevice : 0x8a5c9ab8 _DEVICE_OBJECT +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x5050 +0x020 Characteristics : 0x100 +0x024 Vpb : (null) +0x028 DeviceExtension : 0x89fd90e0 Void +0x02c DeviceType : 7
![Page 46: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/46.jpg)
kd> !drvobj 0x899574f0 Driver object (899574f0) is for: 899574f0: is not a driver object
![Page 47: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/47.jpg)
TDL hidden file system
![Page 48: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/48.jpg)
TDL’s hidden storage
o Reserve space in the end of the hard drive (not
visible at file system level analysis)
o Encrypted contents (stream cipher: RC4, XOR-ing)
o Implemented as a hidden volume in the system
o Can be accessed by standard APIs (CreateFile,
ReadFile, WriteFile, SetFilePointer, CloseHandle)
![Page 49: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/49.jpg)
TDL3 Physical device object
DriverObject
...
TDL3Driver object
XXXXXXXX – random 8-character ASCII string
\\?\globalroot\device\XXXXXXXX\YYYYYYYY\file_name - for user-mode components\device\XXXXXXXX\YYYYYYYY\file_name – for kernel-mode components
\Device\XXXXXXXX
TDL3/TDL3+ Rootkit Device Stack
![Page 50: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/50.jpg)
TDL4 Volume device object
DriverObject
...Vpb
...
TDL4 Physical device object
DriverObject
...
\Driver\PnpManagerDriver object
TDL4Driver object
Volume parameter block
DeviceObject
RealDevice
\Device\XXXXXXXX Unnamed
XXXXXXXX – random 32-bit hexadecimal integer
TDL4 Device Stack
![Page 51: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/51.jpg)
TDL4 Hidden FS
Growth direction
Disk partitions
One sector
One sectorVariable length Not more than 8 Mb
Infe
cted
MBR
TDL4 File System Layout
![Page 52: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/52.jpg)
TdlFsReader, how forensic tool
![Page 53: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/53.jpg)
TdlFsReader, how forensic tool
![Page 54: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/54.jpg)
TdlFileReader
User mode
Kernel mode
TdlFsRecognizer
TdlFsDecryptor
TdlSelfDefenceDisabler
LowLevelHddReader
TdlFsReader architecture
![Page 55: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/55.jpg)
TdlFsRecognizer
FsCheckVersion
FsStructureParser
TdlFsDecryptor
TdlCheckVersion
TdlDecryptor
TdlSelfDefenceDisabler
TdlUnHooker
HddBlockReader
TdlFsReader architecture
![Page 56: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/56.jpg)
•DEMO
![Page 57: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/57.jpg)
References
“The Evolution of TDL: Conquering x64”http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
“Rooting about in TDSS”http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf
“TDL3: The Rootkit of All Evil?”http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf
Follow ESET Threat Bloghttp://blog.eset.com
![Page 58: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/58.jpg)
Questions
![Page 59: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/59.jpg)
Thank you for your attention ;)
Aleksandr [email protected]@matrosov
Eugene [email protected]@vxradius
![Page 60: Проведение криминалистической экспертизы и анализа руткит-программ на примере TDL4](https://reader035.vdocuments.net/reader035/viewer/2022062319/5575790fd8b42adb7e8b4a60/html5/thumbnails/60.jpg)
Конкурс «Лучший реверсер» уже начался !
Нужно зарегистрироваться на стенде
конкурса
Скачать crackme phd.esetnod32.ru
Прислать ключи и краткое описание
процесса прохождения на email:
Получить призы:
1. Amazon Kindle DX
2. Amazon Kindle 3 Wi-Fi
3. ESET Smart Security (3 года)