对实施初等教育、中等教育的民办学校.ppt

BlackHat Windows Security2004Data Hiding on a Live System Purpose Present/discuss different techniques for hiding data on LIVE systems (NTFS) Address methods of preventing and detecting this activity What is NOT covered? Maintenance tracks, boot sector, file slack, etc. What is being hidden? Data Text Output of commands (samdump, etc.) Executables Programs Games Rootkits Who are we hiding it from? Other users Administrators Investigators/forensics analysts Altering files File Changes Name Extension Information regarding extensions and associations is maintained in the Registry ‘assoc’ command File Signature (this is NOT a hash) Altering Names/Extensions Altering file signatures First 20 bytes of the file Change JFIF/GIF89a in graphics file to something else Executables (.exe, .dll, .sys, .ocx, .scr) begin w/ “MZ” Sigs.pl performs signature analysis DOS Attributes Attrib command Explorer settings dir switch (dir /a[:h]) Perl ignores (opendir/readdir, glob) hfind.exe (FoundStone) File Splitting File Splitting Almost as old as DOS Many programs available Malicious uses File Splitting “touching” files Alter the creation, last access, last modification dates touch in Unix Microsoft SetFileTime() API Used to hide from search tools dir /t[:a] afind.exe (FoundStone) macmatch.exe (NTSecurity.nu) File Binding Elite Wrap Saran Wrap, Silk Rope OLE/COM MS OLE/COM API “Structured Storage”, “Compound files” “File system within a file” MergeStreams Demo May discover using “strings” or “grep” wd.exe NTFS Alternate Data Streams NTFS4 (NT) and NTFS5 (2K) Creating Using Running executables hidden in ADSs NTFS4 vs. NTFS5 Creating ADSs Type command Type notepad.exe myfile.txt:np.exe Cp.exe from Resource Kit Bind to file or directory listing Notepad myfile.txt:hidden.txt Notepad :hidden.txt Executing ADSs Running executables hidden in ADSs Native methods NTFS4 - ‘start’ (FoundStone) NTFS5 - several methods Detecting ADSs lads.exe, by Frank Heyne (heysoft.de) sfind.exe (FoundSt