首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全工具>后门程序>软件详细
软件名称:  eeyebootroot.zip
文件类型:  
界面语言:  简体中文
软件类型:  国产软件
运行环境:  WinNT/2K/Xp
授权方式:  共享软件
软件大小:  80K
软件等级:  ★★★★☆
发布时间:  2005-09-09
官方网址: http://www.eeye.com 作者:vitter
演示网址:
软件说明:  
一个NT BootRootkit 原型和相关PPT资料。

文件列表:

demrsod2.asm
demrsod2.bin
ebrk.asm
ebrk.img
ebrk.iso
eeyebootroot.ppt
readme.txt

下面来自压缩包中的README:

[READ ME]

This text is a quick introduction to the eEye BootRoot project and the eEye BootRootKit network kernel backdoor.  For much more information, please refer to the slides (eeyebootroot.ppt).


[ENCLOSED FILES]

The eEye BootRootKit NDIS backdoor is a demonstration of boot-time Windows kernel subversion technology.  The assembly source code (ebrk.asm) was written for use with MASM 6.11.  It comes in pre-packaged executable form as a floppy disk image (ebrk.img) and as a CD-ROM ISO-9660 image (ebrk.iso).

Note that the ISO is bare-bones and does not contain a file system, only a boot sector.  If you burn it to disc, it will for the most part appear to be a blank CD.

We've also included the source for a very simple demonstration packet (demrsod2.asm), and a compiled binary file (demrsod2.bin) to be used with netcat ("nc -u").


[OVERVIEW]

eEye BootRoot is a project presented at Black Hat USA 2005 by Derek Soeder and Ryan Permeh of eEye Digital Security.  The goal was to explore *and* *implement* technology that custom boot sector code could use to subvert the Windows NT-family kernel as it loads.  To our knowledge, such technology had not previously been publicly demonstrated.

eEye BootRootKit is a manifestation of this technology -- a removable-media boot sector that situates itself to regain execution later, as Windows is loading, and then seamlessly continues the boot sequence from hard drive 0.  The basic concept employed is to hook INT 13h and "virtually patch" the Windows OS loader as it's read from disk, then leverage this patch to hook into NDIS.SYS after it has been loaded into memory and validated.

The hook function's purpose is simple: scan all incoming Ethernet frames for a signature in a specific location, and execute code (with kernel privileges) from any matching frame.  The RSoD2 demo gives a very simple display of this capability, by patching NTOSKRNL.EXE in memory and causing a "red screen of death" kernel crash.  Try sending the packet to a closed UDP port on a firewalled machine running BootRootKit, or use the broadcast address!


[FREQUENTLY ASKED QUESTIONS]

Q: Why is it "eEye BootRoot"?

A: Someone else is already using the "BootRoot", so we wanted the distinction to be absolutely clear.


Q: How does it work?

A: Please refer to the slides (eeyebootroot.ppt) included in this package.  They were written to cover every detail and even provide some handy reference material in case you're interested in producing a derivative work, or writing your own.


Q: Is BootRootKit a virus?

A: No, it does not modify the contents of the hard drive, nor any other non-volatile storage.  And before you even ask, it only hooks NDIS.SYS to monitor incoming packets, so no, it does not send any traffic from the system on which it's running.


Q: From what other media could BootRootKit load?

A: Theoretically, any boot media.  We haven't experimented with bootable USB drives, although we do have a working PXE BOOTP/TFTP server for serving up BootRootKit which we're not releasing at this time.  BootRootKit could of course be modified to exist as a replacement hard drive MBR, but again, this would require some code changes.


Q: I attended the presentation and got a CD, but it's empty!  What's the deal?

A: It's not empty, it just doesn't contain any files.  No, seriously.  It has a BootRootKit boot sector, which is of course "below" the ISO-9660 file system, so it wasn't necessary to put any files on the disc.  If you don't believe me, try booting from it and see if the nefarious "blue smiley" appears in the upper-left corner.  Then try sending yourself the demrsod2.bin sample packet with "nc -u", but save your work first.  Or rip the CD back into an ISO file and inspect the contents.

   Oh, and thanks for checking out our talk!  =)


[FEEDBACK]

Please send questions, comments, and anything else eEye BootRoot-related to {dsoeder,rpermeh} at eeye.com.
下载地址: 进入下载地址列表
下载说明: ☉推荐使用网际快车下载本站软件,使用 WinRAR v3.10 以上版本解压本站软件。
☉如果这个软件总是不能下载的请点击报告错误,谢谢合作!!
☉下载本站资源,如果服务器暂不能下载请过一段时间重试!
☉如果遇到什么问题,请到本站论坛去咨寻,我们将在那里提供更多 、更好的资源!
☉本站提供的一些商业软件是供学习研究之用,如用于商业用途,请购买正版。
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热门软件
·ASP+PHP两用Shell.rar
·T00ls Lpk Sethc 首创lpk劫持方
·PhpShell.php
·pam_backdoor.tar.gz
·bits.dll
·ASPXspy 2.0
·aspxspy.rar
·新型.net一句话webshell及客户端
·NetCat_New_fixed_version.rar
·rknt.zip
·ZXshell2.0.rar
·Mysql BackDoorDoor
  相关软件
·Telnet-like Standard Daemon.pl
·Evilspy.aspx
·webshellv001.rar
·Mithril v1.33(含原代码).rar
·Intestinal Worm
·httpdoor.rar
·hkshell_v1.0.rar
·rhtools.rar
·He4Hook215b6.zip
·Mithril v1.45.rar
·phpspy_2005.rar
·uay_source.rar
 
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved