lynn's blog

最近在看rookit，看到了这本比较短的科普资料：Inside Windows Rootkits.pdf。让我见识了一种很新奇——当然对我来说——的隐藏rootkit的方法或者说是思路，叫Shadow walker ，下面是简介，不过是英文的，:P

Shadow walker

While kernel-level rootkits have generally focused on hiding processes, files, and registry keys,
there is one resource that rootkits have not traditionally aimed to hide: memory.              For rootkits, this
is a serious flaw, because it opens up the opportunity to detect them by scanning memory.                   At
BlackHat USA 2005, Jamie Butler and Sherri Sparks presented Shadow Walker, a rootkit that
aims to control the view that the operating system has on certain memory regions in a manner
that allows a rootkit to hide itself in memory [22].       The goal of Shadow Walker is to give a benign
view of memory regions that contain the rootkit whenever a request is made to read the memory,
but to give the true view of the rootkit whenever a request is made to execute code in the
memory.     In this way, when a scanner reads the memory to compare it to signatures, the scanner
does not see the rootkit’s code.

To accomplish this, Shadow Walker marks all of the rootkit’s memory as being paged out to disk,
causing a page fault to occur whenever the memory is accessed.                It then hooks the page fault
handler with code that determines whether the request was made to read the memory or execute
it. Depending on the nature of the request, Shadow Walker can either point to physical memory
holding the rootkit code, or physical memory holding benign data.

There are a number of ways to detect the presence of Shadow Walker.                  For example, its page
fault handler hook is implemented as an IDT hook, which, as discussed earlier,  can be detected.
Also, rootkit code is almost always in non paged memory, which cannot be paged out.                    Shadow
Walker marks this non paged memory as being paged out, which is a sign of its presence.                     Still,
Shadow Walker is a clever concept, and it adds yet another place to focus when attempting to
detect rootkits on a compromised system.

大概的意思就是无论rootkit怎么隐藏，它总会在内存里留下痕迹，那么我们就从内存入手来隐藏。把rootkit的执行代码放入分页内存中，这样当要读取、写入或者运行这段代码的时候就会引起分页故障，于是要转入相应的程序来处理，我们就可以hook这个处理程序，只有当由运行这段代码的时候才是rootkit真正的原本的面目，其余特别是读取代码页的时候就指向假的内存页，这样就不会发现rootkit了（假设是根据特征码检测rootkit）。上面最后那段文字可以不管，说的要检测这样的rootkit还是由很多种办法的，因为它要hook，但是它的思路是很好的！

所以如果MH做到驱动去了，HOHO，那办法就是相当地多了~~~