本文对Linux内核模块rootkit进行分析,对基于idt hook的WNPS的实现进行分析。
Rootkit. 3
WNPS test run. 4
test env. 4
compile and install4
client run. 4
WNPS explained. 6
WNPS features. 6
WNPS in general6
classic system call and sys_call_table. 7
fast system call - sysenter(Intel)/syscall(AMD) andsysexit. 8
registers. 8
criteria on fast system call8
hook the IDT/sysenter handler. 9
hide. 10
hide the module itself. 11
hide file and process. 11
hide port. 12
network backdoor. 12
filtering network packet. 12
starting the shell13