Return to search

Ghost in the Shell: A Counter-intelligence Method for Spying while Hiding in (or from) the Kernel with APCs

Advanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not detectable by the infiltrator.

Rootkits can not only hide malware, they can also hide the detection and analysis operations of the defenders from malware. This thesis presents a rootkit based on Asynchronous Procedure Calls (APC). This allows the counter-intelligence software to exist inside the kernel and avoid detection. Two techniques are presented to defeat current detection methods: Trident, using a kernel-mode driver to inject payloads into the user-mode address space of processes, and Sidewinder, moving rapidly between user-mode threads without intervention from any kernel-mode controller.

Finally, an implementation of the explored techniques is discussed. The Dark Knight framework is outlined, explaining the loading process that employs Master Boot Record (MBR) modifications and the primary driver that enables table hooking, kernel object manipulation, virtual memory subversion, payload injection, and subterfuge. A brief overview of Host-based Intrusion Detection Systems is also presented to outline how the Dark Knight system can be used in conjunction with for immediate reactive investigations. / Thesis (Master, Computing) -- Queen's University, 2012-10-18 09:54:09.678

Identiferoai:union.ndltd.org:LACETR/oai:collectionscanada.gc.ca:OKQ.1974/7605
Date18 October 2012
CreatorsAlexander, Jason
ContributorsQueen's University (Kingston, Ont.). Theses (Queen's University (Kingston, Ont.))
Source SetsLibrary and Archives Canada ETDs Repository / Centre d'archives des thèses électroniques de Bibliothèque et Archives Canada
LanguageEnglish, English
Detected LanguageEnglish
TypeThesis
RightsThis publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.
RelationCanadian theses

Page generated in 0.0019 seconds