このページの2つのバージョン間の差分を表示します。
両方とも前のリビジョン 前のリビジョン 次のリビジョン | 前のリビジョン 次のリビジョン 両方とも次のリビジョン | ||
malware:vmsetting [2012/11/26 09:21] kikuzou |
malware:vmsetting [2012/11/27 06:07] kikuzou |
||
---|---|---|---|
行 40: | 行 40: | ||
===== Hacker Defender rootkit ===== | ===== Hacker Defender rootkit ===== | ||
- | * comming soon... | + | * 指定したファイル/ |
+ | * 現在は配布されていない模様 | ||
+ | * 以下設定ファイル(hide.ini)で hxdef100.exe を実行する | ||
+ | < | ||
+ | hxdef100.exe hide.ini | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [Hidden Table] | ||
+ | hxd* | ||
+ | vmu* | ||
+ | vmt* | ||
+ | vmw* | ||
+ | tools* | ||
+ | procexp* | ||
+ | ollydbg* | ||
+ | |||
+ | [Root Processes] | ||
+ | hxd* | ||
+ | vmu* | ||
+ | vmt* | ||
+ | vmw* | ||
+ | tools* | ||
+ | procexp* | ||
+ | ollydbg* | ||
+ | |||
+ | [Hidden Services] | ||
+ | HackerDefender100 | ||
+ | vmu* | ||
+ | vmt* | ||
+ | vmw* | ||
+ | procexp* | ||
+ | |||
+ | [Hidden RegKeys] | ||
+ | VMware, Inc. | ||
+ | Sysinternals | ||
+ | |||
+ | [Hidden RegValues] | ||
+ | vmu* | ||
+ | vmt* | ||
+ | vmw* | ||
+ | |||
+ | [Startup Run] | ||
+ | |||
+ | [Free Space] | ||
+ | |||
+ | [Hidden Ports] | ||
+ | |||
+ | [Settings] | ||
+ | Password=infected | ||
+ | BackdoorShell=cmd.exe | ||
+ | FileMappingName=_.-=[Hacker Defender]=-._ | ||
+ | ServiceName=HackerDefender100 | ||
+ | ServiceDisplayName=HXD Service 100 | ||
+ | ServiceDescription=NT rootkit | ||
+ | DriverName=HackerDefenderDrv100 | ||
+ | DriverFileName=hxdefdrv.sys | ||
+ | |||
+ | [Comments] | ||
+ | </ | ||
+ | |||
+ | ===== 参考情報:ScoopyNG - The VMware Detection Tool ===== | ||
+ | * [[http:// | ||
+ | * 仮想OS上で、VMware環境か検知するツール | ||
+ | |||
+ | ==== 上記3つの対策を施した上で実行した結果 ==== | ||
+ | * 「Test 7: VMware emulation mode」で検知されてしまう。 | ||
+ | * Derek Soeder' | ||
+ | |||
+ | < | ||
+ | #################################################### | ||
+ | :: | ||
+ | :: Windows version v1.0 :: | ||
+ | |||
+ | [+] Test 1: IDT | ||
+ | IDT base: 0x8003f400 | ||
+ | Result | ||
+ | |||
+ | |||
+ | [+] Test 2: LDT | ||
+ | LDT base: 0xdead0000 | ||
+ | Result | ||
+ | |||
+ | |||
+ | [+] Test 3: GDT | ||
+ | GDT base: 0x8003f000 | ||
+ | Result | ||
+ | |||
+ | |||
+ | [+] Test 4: STR | ||
+ | STR base: 0x28000000 | ||
+ | Result | ||
+ | |||
+ | |||
+ | [+] Test 5: VMware "get version" | ||
+ | Result | ||
+ | |||
+ | |||
+ | [+] Test 6: VMware "get memory size" command | ||
+ | Result | ||
+ | |||
+ | |||
+ | [+] Test 7: VMware emulation mode | ||
+ | Result | ||
+ | |||
+ | :: | ||
+ | :: [ www.trapkit.de ] :: | ||
+ | #################################################### | ||
+ | </ | ||