【 Weak current College 】 restore system protection and defense

System restore point if the restore time do not work, or restore the other questions? does system restore is only a display? it how you want to use to reach our want a result using the restore system environment estate users generally do not install other protection software, once the restoration software was penetrating, will bring a larger security threats.
Restore the system vulnerable because the disk device ** driver, that is with a disk device does not have a close contact, as long as the attackers use extraction or bypass methods have the disk requests sent to a real disk.
Penetrating fundamentals
You must allow read and write requests without restoring the system the physical drive, but rather to the underlying physical disk device. Here is a penetrating thoughts that a disk is from the upper-layer request published to lower, as long as the monitor send path, comparison operations can be used as a restore penetrating role.
Penetrating restore system, implementation of network attacks
Know how to penetrate the principle after the restore is very simple, since the restore system on a disk drive, as long as * lift * the * driver we and the relationship between the real disk, bypass ** relationship, it is equal to direct the restore. There are no more than one of the following three conditions:
I. DR0 device ** equipment chain pick chain. This method is actually on the removal of a harddiskDR0 ** device. Specify the device what ** device, first generation robot dog virus will this domain to zero, causing the restore system device is cleared, all the requests do not reach directly by restoring the system ** disk device. For preparedness of the restore system was successfully attacked. Most of the restore system in China had no way to fight against this kind of technology. But this technique also has some **, can only be removed in the physical device DR0. File request first reached the disk volumes, disk volume ** device removal, on the system. So the robot dog virus uses its own way of parsing a file system, to the implementation of network attacks.
Second, will they create a virtual disk device as the disk volume is mounted to the file system on a virtual disk read and write disk that insinuate to real issued a request to the underlying device. Relative robot dog, this approach does not require extraction with a disk system, you can pass the file on the virtual disk operation, the operation result is and on the real disk operation is the same, you can successfully penetrate the restore. Here is a way that he did not direct send disk read and write requests, send SCSI-REQUEST-BLOCK issued to lower disk device.
3. do not use a driver, penetrating directly into the user mode to restore the system. Disk system provides a set of passthrough command to send the request directly to disk, you can obtain disk information or even directly read and write disk sectors. IDE/SCSI/ATAPassThrough instruction through restore, RING3 use Devicelocontrel function to send the request. Most of the restore system on this ** is not strict, or not **, resulting in RING3 can reach under attack.
Restore system defense
We know that Internet/public places almost 100% of the installed equipment, in the event of a restore to restore the system to be penetrated, Tad visible to restore the system on the network is very important, active defense more major.
First, the more the underlying disk read and write to the monitor. They developed a greater degree of difficulty, the short term there is no way to form a larger scale. GuardField this system if you have some time can be modified, or you can use existing system compatibility, disk monitor chassis operations. Its advantage is you can even earlier monitoring
Second, the hook, you can just the right amount of self protection and recovery. If an attacker on the Defender is producing some targeted attacks, an attacker can easily fall into a passive pay to play. If you have to hook up the attackers have poorer.
Three, behavior management and prevention
1. the establishment of good security practice, do not open suspicious e-mail and suspicious Web sites;
2, many viruses exploit propagation, be sure to patch the system in a timely manner;
3. install professional anti-virus software to upgrade to the latest version, and open the real-time monitor;
4. to set the Administrators account is more complicated passwords to prevent virus spread through password guessing.
Restore system future trends
We now have GuardField protection, malicious attackers will develop some new updates to GuardField. They may be used which means that the speculation in two main areas: first, the underlying or updated disk read/write technology, bypasses disk IRP analysis, written directly to disk. Second, a tool for GuardField itself, on the destruction, delinking GuardField. After about two days to have the new driver, to decouple our GuardField.