萬徑尋蹤:Windows 入侵檢測與防禦編程 (卷一)
譚文,周鈺淇,郭艷君
買這商品的人也買了...
-
$414深入理解 Android 網絡編程-技術詳解與最佳實踐 -
$534Android 深度探索(捲 2)-系統應用源代碼分析與 ROM 定製(附光盤) -
JavaScript & jQuery: The Missing Manual, 3/e (國際中文版)$680$537 -
$534Android 安全攻防權威指南 -
Python 駭客密碼|加密、解密與破解實例應用 Cracking Codes with Python$520$411 -
$330網絡設備配置與調試項目實訓(第4版) -
$232響應式 Web 開發項目化教程 (HTML5+CSS3) -
駭客廝殺不講武德:CTF 強者攻防大戰直擊$1,000$790 -
超大流量系統解決方案 : 大型網站架構師的經驗分享$690$587 -
$714Spring Boot + Vue 開發實戰 -
Oracle 19c 從入門到精通 (視頻教學超值版)$534$507 -
最輕巧前端框架首選:Vue.js 完整專案開發實作$780$585 -
突破困境!企業開源虛擬化管理平台:使用 Proxmox Virtual Environment (iThome鐵人賽系列書)$620$484 -
Certiport ITS Network Security 網路安全管理核心能力國際認證應考攻略$250$198 -
戰術 + 技術 + 程序 -- ATT&CK 框架無差別學習$880$695 -
Web API 設計原則|API 與微服務傳遞價值之道 (Principles of Web API Design: Delivering Value with APIs and Microservices)$520$411 -
玩真的!Git ✕ GitHub 實戰手冊 - coding 實境、協同開發、雲端同步, 用最具臨場感的開發實例紮實學會! (Git for Programmers)$580$493 -
建構微服務|設計細微化的系統, 2/e (Building Microservices: Designing Fine-Grained Systems, 2/e)$880$695 -
Docker 快速入門$354$336 -
GitLab CI/CD 從入門到實戰$479$455 -
ASP.NET Core 7 MVC 跨平台範例實戰演練$860$679 -
$371Web 滲透測試與防護 (慕課版) -
ASP.NET Core + Vue.js 全棧開發訓練營$594$564 -
C# 項目開發全程實錄, 5/e$539$512 -
大數據 SQL 優化 : 原理與實踐$594$564
相關主題
商品描述
"本書從企業內網面臨的各種實際威脅出發,引出 Windows 上運行的基於主機的入侵檢測與防禦系統,由淺入深地介紹其技術基礎、原理與源碼實現。 全書聚焦惡意攻擊的主要起點和過程,即惡意模塊執行與惡意腳本執行的檢測和防禦,介紹 Windows 微過濾驅動、AMSI 反惡意軟件掃描接口、ETW 日誌解析、RPC 遠程調用接口過濾等技術,多層次地構築有效的主機入侵檢測和防禦體系。讀者將了解攻擊者的慣用套路,並從源碼角度了解 Windows 內核和用戶態安全功能的具體實現,從而對主機安全防禦形成整體而深刻的認知,並熟練應用於實際開發中。 本書的讀者對象包括有一定 C 語言基礎的高等院校師生、計算機與網絡安全行業從業者、計算機安全愛好者、企業內網安全管理人員。 "
目錄大綱
第 1 章 總覽:內網安全、EDR 與主機防禦 ················ 1
1.1 復雜問題的簡單起源 ······························1
1.2 EDR 與主機入侵檢測與防禦 ····················2
1.3 針對內網的攻擊 ····································4
1.4 零信任的思想 ·······································7
1.5 縱深防禦的設計 ····································8
1.6 防禦的優先順序 ····································9
模塊執行防禦篇
第 2 章 模塊執行防禦的設計思想 ··································· 13
2.1 執行與模塊執行 ·································· 13
2.1.1 初始執行 ·································· 13
2.1.2 原生執行與解釋執行 ··················· 14
2.1.3 模塊執行的重要性 ······················ 15
2.2 模塊的公開檢驗措施 ···························· 16
2.2.1 Windows 的可執行文件格式 ·········· 16
2.2.2 可執行模塊的簽名 ······················ 17
2.2.3 惡意代碼的特征掃描 ··················· 22
2.3 模塊的執行防禦方案設計 ······················ 24
2.3.1 模塊執行防禦的功能設計 ············· 25
2.3.2 模塊執行防禦的技術選擇 ············· 28
2.4 小結與練習 29
第 3 章 微過濾器驅動與模塊執行防禦 ······················· 31
3.1 微過濾器處理文件操作 ························· 31
3.1.1 理解微過濾器框架 ······················ 32
3.1.2 分頁寫入與非分頁寫入 ················ 33
3.1.3 請求前回調函數編寫的基本模板 ···· 35
3.1.4 對生成文件操作的前回調函數的處理 ······································ 37
3.2 寫文件操作處理的實現 ························· 39
3.2.1 前置條件檢查和獲取文件對象 ······· 39
3.2.2 判斷文件是否為 PE 文件 ·············· 42
3.2.3 獲取寫緩沖內容 ························· 44
3.2.4 根據寫緩沖內容決定處理方式 ······· 46
3.2.5 寫操作的後處理 ························· 48
3.3 利用微過濾器捕獲文件的改名操作 ·········· 51
3.3.1 在設置請求的前回調函數中發現文件改名 ································ 51
3.3.2 在文件改名的後回調函數中調用安全函數 ································ 54
3.3.3 文件改名的後回調安全函數的處理 · 56
3.3.4 關於文件的刪除 ························· 57
3.4 小結與練習 58
第 4 章 防禦方案的設計與集成 ································ 59
4.1 可疑庫的設計 ····································· 59
4.1.1 可疑庫的數據結構設計 ················ 59
4.1.2 可疑庫的查找 ···························· 62
4.1.3 可疑路徑的增加 ························· 64
4.1.4 可疑路徑的刪除和移動 ················ 66
4.2 可疑庫的運用集成 ······························· 70
4.2.1 如何在微過濾器中獲取路徑 ·········· 70
4.2.2 在微過濾器中攔截可執行模塊加載 · 72
4.2.3 最終演示效果 ···························· 75
4.3 小結與練習 78
第 5 章 方案漏洞分析與利用 ···················· 79
5.1 漏洞分析的基本原則 ···························· 79
5.1.1 盡量明確需求 ···························· 79
5.1.2 持續進行漏洞分析 ······················ 81
5.1.3 漏洞的分而治之 ························· 83
5.2 漏洞分析的基本方法 ···························· 85
5.2.1 設計漏洞分析的方法 ··················· 85
5.2.2 技術漏洞的分析方法 ··················· 88
5.2.3 實現漏洞的分析方法 ··················· 91
5.3 實現漏洞分析的具體過程 ······················ 92
5.3.1 實現漏洞分析的單位和起點 ·········· 92
5.3.2 代碼風險標註 ···························· 93
5.3.3 函數風險標註 ···························· 95
5.3.4 風險點的關聯展開 ······················ 98
5.4 漏洞利用與測試 ·································101
5.4.1 盤符與路徑漏洞 ························102
5.4.2 內存映射讀寫漏洞 ·····················103
5.4.3 事務操作漏洞 ···························104
5.5 事務操作漏洞的利用 ···························106
5.5.1 本利用的編程原理 ·····················106
5.5.2 本利用的代碼實現 ·····················107
5.5.3 實測效果和評估 ························110
5.6 小結與練習 ·······································112
第 6 章 漏洞修補:兼容事務的刪除處理 ···················113
6.1 使用上下文記錄文件是否被刪除 ············113
6.1.1 事務操作與文件刪除 ··················113
6.1.2 從生成操作中開始處理 ···············114
6.1.3 在微過濾器中使用流上下文 ·········116
6.1.4 設置操作中刪除的處理 ···············119
6.2 利用事務上下文中的鏈表跟蹤刪除 ·········121
6.2.1 處理清理:刪除的時機 ···············121
6.2.2 創建和獲取事務上下文 ···············126
6.2.3 上下文及事務回調的註冊 ············129
6.2.4 流上下文的結構和刪除鏈表的實現 131
6.2.5 刪除的最後處理 ························133
6.3 判斷文件是否已刪除 ···························134
6.3.1 利用獲取對象 ID 判斷文件是否已刪除 ············134
6.3.2 利用文件 ID 判斷文件是否已刪除 ·137
6.3.3 如何構建文件 ID 串 ···················139
6.3.4 如何從文件過濾參數獲得文件 ID ··140
6.3.5 獲得卷全局標識符的方法 ············142
6.4 小結與練習 ·······································144
腳本執行防禦篇
第 7 章 微過濾器實現的工具文件腳本防禦 ··············· 146
7.1 為什麼以及如何考慮腳本防禦 ···············146
7.1.1 模塊執行防禦的不足 ··················146
7.1.2 腳本、解釋器的分類和本質 ·········147
7.1.3 腳本防禦的三條防線 ··················149
7.2 捕獲文件腳本 ····································151
7.2.1 一個“惡意”腳本的示例 ············151
7.2.2 如何監控解釋器讀入腳本 ············152
7.2.3 過濾 cmd.exe 讀入批處理文件 ······154
7.3 文件腳本防禦的演示和實際策略 ············156
7.3.1 cmd.exe 腳本防禦的演示效果 ·······156
7.3.2 powershell.exe 腳本防禦的演示效果 ·······································157
7.3.3 工具文件腳本防禦的實際策略 ······158
7.4 小結與練習 ·······································160
第 8 章 AMSI 實現的工具腳本防禦 ························ 161
8.1 AMSI 介紹 161
8.1.1 AMSI 是什麼 ····························161
8.1.2 AMSI 的應用 ····························163
8.1.3 AMSI 提供者介紹 ······················166
8.2 自定義 AMSI 提供者實現 ·····················168
8.2.1 新建自定義 AMSI 提供者工程 ······168
8.2.2 AMSI 提供者的註冊和註銷 ··········170
8.2.3 掃描信息提取和結果返回 ············172
8.3 AMSI 實現的工具腳本防禦 ···················177
8.3.1 工具腳本防禦的基本思想 ············177
8.3.2 對腳本進行信息提取的實現 ·········179
8.3.3 腳本簽名檢查邏輯的實現 ············182
8.3.4 自實現 AMSI 提供者功能的演示 ···187
8.4 小結與練習 ·······································189
第 9 章 AMSI 防禦內容型腳本與低可測攻擊 ············ 191
9.1 AMSI 實現的內容型腳本防禦 ················191
9.1.1 內容型腳本的防禦難點 ···············191
9.1.2 AMSI 提供者與混淆過的腳本 ·······192
9.1.3 用 ASMI 提供者截獲明碼腳本 ······194
9.2 對惡意內容型腳本的簡單判定 ···············197
9.2.1 典型的惡意腳本的行為 ···············197
9.2.2 入侵指標(IOC)與簡單黑白判定 ·198
9.2.3 簡單判定攔截的演示效果 ············201
9.3 AMSI 對低可測攻擊的防禦 ···················201
9.3.1 低可測攻擊的威脅 ·····················201
9.3.2 PowerShell 實現低可測攻擊的模擬演示 ··································202
9.3.3 模擬攻擊環境部署 ·····················207
9.3.4 模擬攻擊被攔截的演示 ···············209
9.4 小結與練習 ·······································211
第 10 章 利用 ETW 監控系統事件 ·························· 213
10.1 ETW 的基本概念 ······························213
10.1.1 什麼是 ETW ···························213
10.1.2 ETW 的主要概念 ·····················214
10.1.3 查看 ETW 相關組件 ·················215
10.2 編程讀取 ETW 的日誌 ·······················216
10.2.1 ETW 編程涉及的主要函數 ·········216
10.2.2 設計一個通用的 ETW 日誌讀取函數 ····································217
10.2.3 使用 ETW 日誌函數讀取函數 ·····218
10.3 ETW 日誌讀取源碼解析 ·····················219
10.3.1 ETW 會話生成 ························219
10.3.2 ETW 給會話指定提供者 ············221
10.3.3 創建消費者 ····························222
10.3.4 啟動日誌處理和收尾工作 ··········223
10.4 嘗試讀取並解析 RPC 事件 ··················224
10.4.1 找到 RPC 事件相關的提供者 ······224
10.4.2 提供者的日誌格式 ···················225
10.4.3 從 EventRecordCallback 中獲取日誌······································227
10.4.4 寫代碼解析日誌 ······················228
10.5 小結與練習 ······································231
第 11 章 遠程過程調用(RPC)的監控和防禦 ·········· 232
11.1 什麼是 RPC ·····································232
11.1.1 命令序列型的腳本 ···················232
11.1.2 RPC 與內網安全 ······················232
11.1.3 如何監控與攔截 RPC ················233
11.2 RPC 攻擊的實際例子 ·························234
11.2.1 RPC 的攻擊行為原理 ················234
11.2.2 PsExec 工具實現的 RPC 攻擊 ······235
11.2.3 實際演示 PsExec 的使用 ············236
11.3 監控所有 RPC ··································238
11.3.1 過濾正確的 ETW 日誌類型 ········238
11.3.2 顯示解析之後的 RPC 日誌信息 ···240
11.3.3 監控所有 RPC 調用的演示 ·········241
11.4 獲取 RPC 調用者的 IP 地址 ·················242
11.4.1 從 SMB 相關日誌獲得調用者網絡地址 ··································242
11.4.2 捕獲和解析 SMB 日誌的代碼實現 245
11.4.3 從 SMB 日誌數據中提取 IP 地址 ·246
11.5 監控 PsExec 調用的關鍵 RPC 接口 ········250
11.5.1 通過關聯打印 RPC 日誌信息 ······250
11.5.2 解決管道別名的問題 ················253
11.5.3 監控外部機器 RPC 調用的實例演示 ·····································254
11.6 利用 WFP 引擎進行 PRC 過濾 ··············256
11.6.1 利用 WFP 添加 PRC 接口過濾 ·····256
11.6.2 打開 WFP 引擎並指定要阻止的接口 ·····································259
11.6.3 過濾指定的 IP 地址 ··················260
11.7 小結與練習 ······································261
第 12 章 軟件漏洞利用與文件行為防禦 ··················· 263
12.1 軟件漏洞的利用 ·······························263
12.1.1 模塊、腳本執行防禦的不足 ·······263
12.1.2 及時更新防禦軟硬件漏洞 ··········264
12.1.3 從執行流檢查到行為防禦 ··········265
12.2 主要的惡意行為 ·······························267
12.2.1 導致惡意行為的惡意目標 ··········267
12.2.2 文件和磁盤、註冊表行為 ··········268
12.2.3 網絡、跨進程和系統調用行為 ····270
12.3 利用微過濾器監控和攔截文件行為 ·······273
12.3.1 制定軟件合理行為規則 ·············273
12.3.2 實現文件寫打開監控和攔截 ·······274
12.3.3 實現可配置的規則庫 ················278
12.4 小結與練習 ······································281
附錄 A 開發工具準備、環境部署與 HelloWorld 示例 · 282
A.1 下載安裝 Visual Studio 2022 ··················282
A.2 安裝 Windows SDK ····························283
A.3 安裝 Windows WDK ···························284
A.4 安裝 VMware 及 Windows 11 虛擬機 ·······284
A.5 設置雙機調試 ···································289
附錄 B HelloWorld 示例 ······································ 293
B.1 創建一個驅動 ···································293
B.2 編寫驅動代碼 ···································294
B.3 編譯並部署驅動 ································296
B.4 調試驅動 ··299
附錄 C 隨書源碼說明 ·· 302
C.1 如何使用源碼 ···································302
C.2 整體目錄和編譯方法 ··························302
C.3 章節示例到源碼的索引 ·······················303
