Reasearch Of ROOTKIT Covert Technology Based On Network Interface Card;reasearch Of ROOTKIT Covert Technology Based On Network Interface Card

As the mainstream gradually from a wide range of network threats worms and e-mail virus attacks and move to a more targeted individuals to benefit targeted system attacks, so we will turn to Rootkit covert technology.Rootkit covert technology is developping as the process of confrontation with the security technology, from the earliest development of the application layer to the core layer Rootkit. Rootkit in order to prevent being detected, the technology continues to go deeper in the system. Today, the core layer Rootkit technology and the corresponding detection methods have matured, the latest Rootkit will aim at computer hardware. Therefore, we study the latest network card Rootkit techniques to understand how to detect the hardware Rootkit. First of all, the first problem is the memory structure inside the network card and how to upload custom firmware to the card storage area. Since the structure of the internal network card is of little public documentation, and the major card manufacturers provids very limited information is, so the only feasible way to study the internal structure of the card is reverse engineering work. The French reverse engineer Guillaume Delugre provids two dynamic tuning tool for the network card, and we use it to research and analyze its internal storage structure, including details of the various registers and EEPROM memory. Finally, through the PCI bus card to operate the registers to download the Rootkit program to the card store.Second, as to the implementation of card Rookit, athough different hardware Rookit technology, the work is interlinked principles. This paper introduces the classic hardware-based BIOS, eEye Rootkit technology, and with reference to the basic principles of its implementation and linked to functions and methods to achieve the network card on the Rootkit.Finally, the card Rootkit has a problem that needs to be written the program file which can run on the card. We refer to the open source project iPXE NIC network boot environment to compile the program files. First introduced iPXE relevant knowledge, and procedural framework for the use of iPXE to write Rootkit program, and gives the realization of the program.