NDLTD Global ETD Search
  • Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 1
  • Tagged with
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.

Search results

Showing 1 to 1 of 1 (0.088 seconds)

Spelling suggestions: "subject:"asynchronous procedure walls""

1

Ghost in the Shell: A Counter-intelligence Method for Spying while Hiding in (or from) the Kernel with APCs

Alexander, Jason 18 October 2012 (has links)
Advanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not detectable by the infiltrator. Rootkits can not only hide malware, they can also hide the detection and analysis operations of the defenders from malware. This thesis presents a rootkit based on Asynchronous Procedure Calls (APC). This allows the counter-intelligence software to exist inside the kernel and avoid detection. Two techniques are presented to defeat current detection methods: Trident, using a kernel-mode driver to inject payloads into the user-mode address space of processes, and Sidewinder, moving rapidly between user-mode threads without intervention from any kernel-mode controller. Finally, an implementation of the explored techniques is discussed. The Dark Knight framework is outlined, explaining the loading process that employs Master Boot Record (MBR) modifications and the primary driver that enables table hooking, kernel object manipulation, virtual memory subversion, payload injection, and subterfuge. A brief overview of Host-based Intrusion Detection Systems is also presented to outline how the Dark Knight system can be used in conjunction with for immediate reactive investigations. / Thesis (Master, Computing) -- Queen's University, 2012-10-18 09:54:09.678
asynchronous procedure calls
reverse engineering
software engineering
computer science

Page generated in 0.092 seconds