Show simple item record

dc.contributor.authorAlexander, Jasonen
dc.date2012-10-18 09:54:09.678
dc.date.accessioned2012-10-18T15:44:16Z
dc.date.available2012-10-18T15:44:16Z
dc.date.issued2012-10-18
dc.identifier.urihttp://hdl.handle.net/1974/7605
dc.descriptionThesis (Master, Computing) -- Queen's University, 2012-10-18 09:54:09.678en
dc.description.abstractAdvanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not detectable by the infiltrator. Rootkits can not only hide malware, they can also hide the detection and analysis operations of the defenders from malware. This thesis presents a rootkit based on Asynchronous Procedure Calls (APC). This allows the counter-intelligence software to exist inside the kernel and avoid detection. Two techniques are presented to defeat current detection methods: Trident, using a kernel-mode driver to inject payloads into the user-mode address space of processes, and Sidewinder, moving rapidly between user-mode threads without intervention from any kernel-mode controller. Finally, an implementation of the explored techniques is discussed. The Dark Knight framework is outlined, explaining the loading process that employs Master Boot Record (MBR) modifications and the primary driver that enables table hooking, kernel object manipulation, virtual memory subversion, payload injection, and subterfuge. A brief overview of Host-based Intrusion Detection Systems is also presented to outline how the Dark Knight system can be used in conjunction with for immediate reactive investigations.en
dc.language.isoengen
dc.relation.ispartofseriesCanadian thesesen
dc.rightsThis publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.en
dc.subjectAsynchronous Procedure Callsen
dc.subjectReverse Engineeringen
dc.subjectSoftware Engineeringen
dc.subjectComputer Scienceen
dc.titleGhost in the Shell: A Counter-intelligence Method for Spying while Hiding in (or from) the Kernel with APCsen
dc.typethesisen
dc.description.degreeM.Sc.en
dc.contributor.supervisorKnight, Scotten
dc.contributor.supervisorDean, Thomas R.en
dc.contributor.departmentComputingen
dc.degree.grantorQueen's University at Kingstonen


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record