このページの2つのバージョン間の差分を表示します。
| 両方とも前のリビジョン 前のリビジョン 次のリビジョン | 前のリビジョン 次のリビジョン 両方とも次のリビジョン | ||
|
malware:vmsetting [2012/11/26 09:21] kikuzou |
malware:vmsetting [2012/11/27 06:07] kikuzou |
||
|---|---|---|---|
| 行 40: | 行 40: | ||
| ===== Hacker Defender rootkit ===== | ===== Hacker Defender rootkit ===== | ||
| - | * comming soon... | + | * 指定したファイル/ |
| + | * 現在は配布されていない模様 | ||
| + | * 以下設定ファイル(hide.ini)で hxdef100.exe を実行する | ||
| + | < | ||
| + | hxdef100.exe hide.ini | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | [Hidden Table] | ||
| + | hxd* | ||
| + | vmu* | ||
| + | vmt* | ||
| + | vmw* | ||
| + | tools* | ||
| + | procexp* | ||
| + | ollydbg* | ||
| + | |||
| + | [Root Processes] | ||
| + | hxd* | ||
| + | vmu* | ||
| + | vmt* | ||
| + | vmw* | ||
| + | tools* | ||
| + | procexp* | ||
| + | ollydbg* | ||
| + | |||
| + | [Hidden Services] | ||
| + | HackerDefender100 | ||
| + | vmu* | ||
| + | vmt* | ||
| + | vmw* | ||
| + | procexp* | ||
| + | |||
| + | [Hidden RegKeys] | ||
| + | VMware, Inc. | ||
| + | Sysinternals | ||
| + | |||
| + | [Hidden RegValues] | ||
| + | vmu* | ||
| + | vmt* | ||
| + | vmw* | ||
| + | |||
| + | [Startup Run] | ||
| + | |||
| + | [Free Space] | ||
| + | |||
| + | [Hidden Ports] | ||
| + | |||
| + | [Settings] | ||
| + | Password=infected | ||
| + | BackdoorShell=cmd.exe | ||
| + | FileMappingName=_.-=[Hacker Defender]=-._ | ||
| + | ServiceName=HackerDefender100 | ||
| + | ServiceDisplayName=HXD Service 100 | ||
| + | ServiceDescription=NT rootkit | ||
| + | DriverName=HackerDefenderDrv100 | ||
| + | DriverFileName=hxdefdrv.sys | ||
| + | |||
| + | [Comments] | ||
| + | </ | ||
| + | |||
| + | ===== 参考情報:ScoopyNG - The VMware Detection Tool ===== | ||
| + | * [[http:// | ||
| + | * 仮想OS上で、VMware環境か検知するツール | ||
| + | |||
| + | ==== 上記3つの対策を施した上で実行した結果 ==== | ||
| + | * 「Test 7: VMware emulation mode」で検知されてしまう。 | ||
| + | * Derek Soeder' | ||
| + | |||
| + | < | ||
| + | #################################################### | ||
| + | :: | ||
| + | :: Windows version v1.0 :: | ||
| + | |||
| + | [+] Test 1: IDT | ||
| + | IDT base: 0x8003f400 | ||
| + | Result | ||
| + | |||
| + | |||
| + | [+] Test 2: LDT | ||
| + | LDT base: 0xdead0000 | ||
| + | Result | ||
| + | |||
| + | |||
| + | [+] Test 3: GDT | ||
| + | GDT base: 0x8003f000 | ||
| + | Result | ||
| + | |||
| + | |||
| + | [+] Test 4: STR | ||
| + | STR base: 0x28000000 | ||
| + | Result | ||
| + | |||
| + | |||
| + | [+] Test 5: VMware "get version" | ||
| + | Result | ||
| + | |||
| + | |||
| + | [+] Test 6: VMware "get memory size" command | ||
| + | Result | ||
| + | |||
| + | |||
| + | [+] Test 7: VMware emulation mode | ||
| + | Result | ||
| + | |||
| + | :: | ||
| + | :: [ www.trapkit.de ] :: | ||
| + | #################################################### | ||
| + | </ | ||