Sogeti ESEC Lab

Reverse engineering a Qualcomm baseband, 28C3, Guillaume Delugré

Despite their wide presence in our lives, baseband chips are still nowadays poorly known and understood from a system point of view. Some presentations have hilighted vulnerabilities in GSM stacks across various models of basebands (cf. 27c3: All your baseband are belong to us by R-P. Weinmann). However none of them actually focused on the details of how a baseband operating system really works. This is the focus of our presentation. From the study of a simple 3G USB stick equipped with a Qualcomm baseband, we will discuss how to dump the volatile memory, reverse-engineer the proprietary RTOS, and ultimately execute and debug code while trying to preserve the real-time system constraints.

How to develop a rootkit for Broadcom NetExtreme network cards, REcon 2011, Guillaume Delugré

Having spent a lot of time on reverse engineering the Broadcom NetExtreme cards firmware, I began writing my own rootkit firmware from scratch in C language. Hopefully, the firmware code in Broadcom cards is not signed and it is possible to burn custom MIPS code into the device's EEPROM so that it gets loaded during the device bootstrap sequence. I will quickly come back on the way I did to reverse engineer the Broadcom firmware : developing my own firmware debuggers (InVitroDbg/InVivoDbg), getting code execution on the NIC, etc. This work has been already presented in the past, so this presentation will now mainly focus on the practical rootkit development part.

iPhone data protection in depth, HITB Amsterdam 2011, Jean-Baptiste Bédrune, Jean Sigwald

iOS 4 introduced the data protection feature that helps securing data on the device with the users passcode. In this talk we describe the internals of iPhone data protection on and off the device, and present tools we developed to assist forensic analysis of iOS devices.

Closer to metal: reverse-engineering the Broadcom NetExtreme’s firmware, Hack.lu 2010, Guillaume Delugré

During CanSecWest 2010, French researchers Loic Duflot and Yves-Alexis Perez discovered a major security flaw in the firmware of Broadcom network cards. The vulnerability is a buffer overflow leading to remote code execution on the device, which can then lead to OS corruption through DMA accesses.

This raises the following question: how much can you trust your hardware when you don’t even know how it operates behind your back, nor what the firmware code is actually doing? Given the lack of will from manufacturers to give details about their device internals, the best thing we can do is to retrieve this information by ourselves using reverse engineering techniques. Fortunately, Broadcom released part of their Ethernet card specifications. Nevertheless some details are still obscure, and firmware source code is not available... This presentation focuses on the reverse engineering study case of the Broadcom Ethernet NetExtreme family firmwares.

Digital Content Protection - How to crack DRM and make them more resistant, HITB KL 2010, Jean-Baptiste Bédrune

This talks deals with audio and video content protection, focusing on VoD and protected files on PCs. The first part presents the modules needed for a DRM solution, the general architecture of such systems, and the main constraints it has to face. It then shows some common mistakes made by vendors, and how to fix them. Finally, techniques used to defeat common DRM systems in a short time are found, including an short introduction to white-box cryptography and source code obfuscation methodes commonly found in these systems.

iPhone security model & vulnerabilities, HITB KL 2010, Cédric Halbronn, Jean Sigwald

The iPhone is one of the most popular smartphones out there, with a large library of applications. The iPhone operating system (iOS) implements security mechanisms to only run Apple-signed code on the device and mitigate exploitation of software vulnerabilities. However, many vulnerabilities were found and exploited successfully to "jailbreak" the operating system and run third party applications. This talks describes iOS security features and shows how to reuse jailbreak exploits to steal data from the phone, either with physical access or remotely.

Metasm Feelings, REcon 2010, Yoann Guillot and Alexandre Gazet

Metasm is an open source ruby framework developed by Yoann Guillot. It can: work with binary files, assemble, disassemble, debug running processes, manipulate C source code, play the ruby interpreter, and plenty other things. Our talk follows a simple guideline based on a real life case: the development of a code tracer. Starting from a trivial tracing algorithm, we will show that the use of Metasm allows to efficiently build a multi-platforms tool, then we will extend its capacity by taking advantages of the native Windows API. At the end we will use the tool to debug the firmware of a network card, running on the NIC and not on the main CPU.

Subverting Windows 7 x64 Kernel with DMA Attacks, HITB Amsterdam 2010, Christophe Devine and Damien Aumaitre

Traditionally, operating systems implicitely trust the hardware.

This presentation will focus on concrete examples of compromising the Windows 7 x64 operating system, in effect bypassing two major security mecanisms: code signing and integrity verification (PatchGuard).

First, we’ll explain the internal structures of the operating system, and how they differ from previous versions. Then we describe how to alter these structures in order to gain control over the execution flow. The implementation of this attack is then presented, using an embedded soft-core MIPS CPU implemented on an FPGA PCMCIA/CardBus card.

Finally, we will conclude on the importance of new protection features included in recent CPUs, in particular the IOMMU and TXT.

Deception 2.0: Gathering and Exploiting Information, HITB Dubai 2010, Fred Raynal, Arnauld Mascret and Christophe Devaux

Using information is something well-known from military people for centuries. However, they are not the only ones to do it: a company wishing to gain competitive advantage on a competitor, a state to protect its citizen, or a husband/wife to know whether his/her wife/husband is cheating. Then came Internet. More information are available, some one can control, some one can not. And for an attacker, this is a chance.

This talk will deal with information. We will show what has recently change with the rise of the Internet, and social networks.

First, we will quickly remind that using information is based on the same methods whatever the source is. Then, we will focus on open source information on the internet focusing on 2 types of targets: a company or a John Doe. We will start collecting based on usual ways, and propose ways to get more information with social networks, bypassing their limits. Having information is fine, but useless unless you attempt to exploit it. So, the last part will show what one can do with a bit of social skills, intelligence gathering and cleverness.

PoC(k)ET, les détails d'un rootkit pour Windows Mobile 6, SSTIC 2010, Cédric Halbronn

Le smartphone est le résultat de la convergence de plusieurs terminaux mobiles : GPS, téléphones portables, PDAs, etc. Il existe de nombreux systèmes d'exploitation embarqués sur le marché mobile. Windows Mobile, développé par Microsoft, est assez répandu. Par conséquent, il parait essentiel d'analyser le fonctionnement du système d'exploitation mobile de Microsoft, de comprendre les risques et menaces, et d'anticiper les méthodes qui pourraient être utilisées dans le but d'attaquer le terminal et de laisser une porte d'entrée pour un attaquant sans que l'utilisateur légitime du smartphone ne s'en rende compte.

virtdbg: un débogueur noyau utilisant la virtualisation matérielle, SSTIC 2010, Christophe Devine and Damien Aumaitre

Le projet virtdbg a objectif but de créer un débogueur fondé sur un hyperviseur minimaliste. Il est injecté directement dans la mémoire du système cible en utilisant un transfert DMA et offre un ensemble de primitives simples permettant de contrôler la cible (pose de points d'arrêt, lecture et écriture de la mémoire, gestion des exceptions, etc.) Ces primitives s'appuient sur les fonctions de virtualisation matérielle des processeurs Intel et AMD récents. Le système est très peu altéré et le contrôle est total.

Fuzzgrind: An automatic fuzzing tool, Hack.lu 2009, Gabriel Campana

Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs, and potentially vulnerabilities. Fuzzgrind is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.

When E.T. comes into Windows Mobile 6, Hack.lu 2009, Cédric Halbronn

This presentation deals with developing a rootkit for Windows Mobile 6. We analyze the different offered services : Phone, SMS, GPS, SD-card, etc. We also list all the possible attack vectors : phone, WLAN, ActiveSync, etc. The system's internal mechanisms will be explained. This will allow us to understand how the system may be compromised : SMS interception, rootkits, etc. As antivirus companies propose solutions to protect devices, it is logical to want to know what they really protect against. We will give details on the stealth mechanisms, remote control capabilities, ways to make the rootkit persistent, and services that a malicious hacker could use.

Malicious PDF origamis strike back, HITB KL 2009, F. Raynal, G. Delugré and D. Aumaitre

Last year, we presented at PacSec some risks related to the PDF format. Many samples were provided. In the end, we showed 2 real-life attacks focused on PDF language and Acrobat Reader.

Since the language has now well be studied, we will focus now on its environment:

• What are the links with the OS, the browser, … and the PDF files?

• Why the new ciphering mode is a better target to an attacker for a password shorter than 32 characters.

• What about the JavaScript engine?

Based on these analysis, we will show 2 attacks leading to credential leaks:

• When a PDF contains a invisible form, automatically submitted, it is then passed to the browser, which send the form … and the cookies related to it if the user was previously authenticated on the target site. Thus cross-site request forgeries are possible with PDF files.

• On a LAN, it is possible to cause Windows to force a NTLM challenge and thus leak the NTLM credentials with no warning at all for the user. Thus PDF files are a really good way to success a “pass the hash” attack.

Defeating software protection with Metasm, HITB KL 2009, Alexandre Gazet and Yoann Guillot

Metasm is a open source binary manipulation framework (disassembly, compilation, executable formats handling, etc.). It currently supports x86 (Ia32 and amd64), MIPS and PowerPC architectures. One of its distinctive characteristic, is the encoding of instructions semantics. Based on this semantic encoding, the disassembler takes advantage of what we call a “backtracking” engine (symbolic emulation) that allows a very fine disassembly. Using the encoded semantics of instruction, we have been developing a generic approach on x86 code virtualization based protection. We also used some optimization techniques to defeat obfuscation, and compilation to defeat virtualization. Moreover,

there is a very new feature of Metasm: a C decompiler. We have already started to port the optimization into the decompiler with good results. Our talk illustrate these different functionalities of Metasm, based on concrete results we have obtained against different state of the art software protections involving heavy obfuscation and code virtualization.

Désobfuscation automatique de binaire - The Barbarian Sublimation, SSTIC 2009, Alexandre Gazet and Yoann Guillot

Dans la suite de notre présentation de l'an dernier, nous travaillons sur le contournement automatique de techniques de protections logicielles. Nous nous concentrons particulièrement sur la problématique de l'obfuscation.

Jusqu'à présent, il était nécessaire de rechercher à la main les schémas utilisés par la protection afin de les annuler. Notre approche actuelle cherche à rendre ce travail fastidieux automatique, par une analyse de la sémantique du code binaire permettant d'en extraire une représentation minimale, ce qui revient à supprimer la couche d'obfuscation.

Nous montrerons les résultats obtenus sur quelques exemples, où nous verrons que les méthodes développées permettent parfois de contourner d'autres formes de protection comme les machines virtuelles logicielles.

Fuzzgrind : un outil de fuzzing automatique, SSTIC 2009, Gabriel Campana

Le fuzzing est devenu au cours de ces dernières années une des principales méthodes de recherche de vulnérabilités. Les fuzzers actuels reposent principalement sur la génération de données invalides à partir de modèles, qui nécessitent d'être réécrit pour chaque nouvelle cible. Nous détaillerons le fonctionnement de Fuzzgrind, un nouvel outil de fuzzing entièrement automatique, générant de nouvelles données de test à partir de l'exécution symbolique du programme cible sur une entrée donnée, dans le but de rechercher de nouvelles vulnérabilités.

Les origamis malicieux en PDF contre-attaquent, SSTIC 2009, Guillaume Delugré and Fred Raynal

Les gens ont maintenant bien intégré les risques liés aux documents MS Office, qu'ils viennent des macros ou des failles associées. Par opposition, les documents PDF semblent bien plus sûrs et fiables. Ce (faux) sentiment de sécurité provient essentiellement de ce que les documents PDF apparaissent statiques. Cela est également sans doute dû à l'utilisation massive d'Acrobat Reader, au détriment de logiciels permettant la manipulation des fichiers PDF. En conséquence, les fichiers PDF sont perçus comme des images plutôt que documents actifs. Et comme chacun le sait, une image n'est pas dangereuse, donc un PDF non plus. Mais est-ce bien le cas ... ?

Discovering a botnet from russia (with love), EICAR 2009, Damien Aumaitre, Christophe Devaux and Julien Lenoir

A botnet refers to the network of infected computers remotely controlled. Botnet's owners take advantage of the huge amount of hosts (and thus mass power) to generate illegal profit by performing spam or adware campaigns, Denial of services attacks or data theft. This article is an analysis of a multi-tasks botnet found in the wild. Everything began when an infected laptop was sent to our lab for a forensic analysis. The system was infected by many malwares. After a quick analysis, we decided to focus on one of it by curiosity. We soon realized that our infected machine was enrolled in a botnet and we decided to study the whole botnet. In a first part, we show how we have analysed and reverse engineered the malware itself and all the binaries it dropped. This analysis covers the infection, the machine exploitation and the network topology of zombies computers. From there we were able to draw the network map of the botnet and its control servers. We could also see the evolution of the malware features and improvement of protections layers. In the second part, we analysed the business model of this botnet. We gathered information about the "botnet manager", how he manages the botnet like a company. We have discovered its costs and profit sources, the developpers’recruiting process and how this malware is potentially linked with others malwares and others criminal organizations.

Applied evaluation methodology for anti-virus software, EICAR 2009, Jean-Baptiste Bédrune and Alexandre Gazet

One distinctive characteristics of anti-virus software is that they try to address a problem which, from a formal point of view, is proven tobe undecidable. An evaluation must then be performed to assess how much the anti-virus software, the target of evaluation (TOE), is imperfect with respect to a given security target (ST). The answer cannot be as simple as a binary answer fail/work. This paper presents a methodology dedicated to anti-virus software evaluation. The proposed methodology draws its inspiration from a French security assessment proposed by the French Network and Information Security Agency (FNISA) : the CSPN (Certification de Sécurité de Premier Niveau - First Level Security Certification). Our methodology is thought to be both a formal and operational evaluation and to provide a discerning overview of the effectiveness of an antivirus product within limited time and means.

Les hébergeurs bullet-proof, séminaire ESEC 2009, Alexandre Gazet and Gabriel Campana

Les hébergeurs bulletproof offrent des services d'hébergement classique, tout en garantissant à leurs clients un anonymat total et une qualité de service maximale. Du fait de leur très grande permissivité sur le contenu hébergé, ces services sont particulièrement destinés à des activités criminelles : stockage de code malicieux, serveurs d'upload de données volées, serveurs de commande (C&C) de botnets, campagnes de spam etc. Cette présentation illustrera l'économie sous-terraine liée à ce type de service, mais aussi les réalités techniques qui permettent à ces hébergeurs d'eux-mêmes rester en ligne.

Analyse d'un botnet venu du froid, séminaire ESEC 2009, Damien Aumaitre, Christophe Devaux and Julien Lenoir

Le développement de virus n'est plus l'affaire d'adolescents en manque de reconnaissance, mais celle d'une cyber criminalité organisée générant de gros profits illégaux. Certains virus sont développés avec des techniques industrielles et s'organisent en réseaux de machines infectées : les botnets. Ces botnets sont contrôlables à distance par des cyber criminels pour réaliser du spam, du déni de service ou d'autres activités génératrices de revenus illégaux. Nous avons analysé un de ces botnets. Nous présenterons les résultats de cette analyse concernant l'infection, l'exploitation de la machine et la topologie du réseau de machines zombies.

Contourner les produits de sécurité, séminaire ESEC 2009, Jean-Baptiste Bédrune and Yoann Guillot

Le marché des produits de sécurité est très vaste et fourni. Tous se vantent d'offrir une protection optimale, accrue ou encore de pouvoir détecter et parer aux nouvelles menaces. Pourtant, il n'est pas rare de voir des erreurs d'implémentation ou de conception réduire drastiquement, voire à néant, le niveau de sécurité d'un produit. Lors de cette présentation nos experts détailleront l'analyse de produits de sécurité (firewalls, IDS, anti-virus) qu'ils ont réalisé. Ils présenteront les différentes façons de les contourner.

Les PDFs malicieux, séminaire ESEC 2009, Guillaume Delugré and Frédéric Raynal

Le format PDF s'est imposé au fil des années comme un format de document incontournable à tel point que la norme PDF est désormais une norme internationale (ISO-32000-1). Aux yeux de nombreux utilisateurs, un fichier PDF n'est autre qu'une simple feuille prête à imprimer. Pourtant, un fichier PDF peut posséder un contenu actif directement exécuté par le lecteur PDF, et ce, de façon tout à fait standard. Cette intervention présentera l'étendue des possibilités offertes par la norme PDF et comment un fichier PDF peut se révéler être un vecteur d'infection rêvé pour un attaquant.

Les rootkits navigateurs, séminaire ESEC 2009, Christophe Devaux and Julien Lenoir

Les navigateurs Web embarquent un nombre croissant de fonctionnalités. Ils sont présents sur la très grande majorité des machines connectées au réseau, manipulent du contenu sensible (logins/passwords, mails confidentiels, informations personnelles ou professionnelles) et sont presque toujours autorisés à se connecter à Internet. Ils sont donc une cible de choix pour quiconque voudrait subtiliser de l'information de haute valeur à l'insu de l'utilisateur et du SI. Nous avons, à titre expérimental, développé des rootkits navigateurs pour illustrer ce type d'attaques qui peuvent être menées sur les navigateurs Web tels que le vol de mots de passe, de fichiers du poste utilisateur ou encore la prise de contrôle à distance de la machine.

Malicious origami in PDF, PacSec 2008, Frédéric Raynal and Guillaume Delugré

Many people are now aware that MS Office documents are dangerous, either because of the activated macros, or because of the exploits they carry. As a consequence, PDF documents seem to be much more reliable and secure. This (false) impression of security arises mainly because PDF documents appear to be static due to the fact that most people only use PDF readers and not producers. We firstly present the language PDF and its security model. Then, we will demonstrate how an attacker can mount a targeted attack using malicious PDF files.

Browser rootkits, Hack.lu 2008, Christophe Devaux and Julien Lenoir

An increasing number of features is curently being made available on Web browsers. They are present on most computers connected to the network and handle sensitive content (logins / passwords, confidential e-mails, personal or professional information) and are almost always allowed to connect to the Internet. Therefore, they are a prime target for anyone wanting to steal information without the user being aware of it. As an experiment, we developed browsers rootkits to illustrate this type of attacks that can be performed on Web browsers, such as stealing passwords, downloading files from the user's machine, or taking remote control over the computer.

Analysis of an undocumented network protocol, Hack.lu 2008, Jean-Baptiste Bédrune

OneBridge is a mobile solution that enables enterprises to extend software applications to frontline employees on a variety of mobile devices. Communications between the server an the mobile devices use an undocumented, encrypted protocol. We first present the techniques we used to fully understand the protocol, the encryption algorithms, and the different formats used to exchange data. Then, we spot a few vulnerabilities found during our analysis. Finally, we present a way to fully compromise a OneBridge server using a combination of design errors in the protocol.

A little journey inside Windows memory, Hack.lu 2008, Damien Aumaitre

In 2005 and 2006, two security researchers, Maximilian Dornseif and Adam Boileau, showed an offensive use of the FireWire bus. They demonstrated how to take control of a computer equipped with a FireWire port. This work has been continued. After a brief summary of how memory works on modern OS, we will explain how the FireWire bus works, and it can be used to access physical memory. Since modern operating system and processors use virtual addresses (and not physical ones), we rebuild the virtual space of each process in order to retrieve and understand kernel structures. Thus, we now have an instant view of the operating system without being submitted to the security protections provided by the processor or the kernel. We will demonstrate several uses for this. First we will show what can be done only with an interpretation of kernel structures (read access). For example, we can have the list of all processes, access to the registry with no control even for protected keys like the SAM ones. This is used to dump credentials. Then, we see what can be done when one modifies the memory (write access). As an example, we show a 2 bytes patch to unlock a workstation without knowing the password. Last but not least, code execution is not supposed to happen through FireWire since it is only a bus providing read/write access to the memory. However, slightly modifying the running kernel let us do whatever we want. We will explain how to have a shell with SYSTEM privileges before any authentication.

Déprotection semi-automatique de binaire, SSTIC 2008, Alexandre Gazet and Yoann Guillot

Ce papier présente quelques familles de protections que l'on peut retrouver sur des binaires, malicieux ou non, dont le but est de freiner le reverse-engineering.

Nous verrons également les limitations de celles-ci, et comment il est possible de les supprimer de manière largement automatique.

Enfin nous illustrerons ces concepts par la résolution du challenge "T2", qui implémente une machine virtuelle obfusquée, au moyen de l'instrumentation du désassembleur de Metasm. Celui qui fond dans la bouche et pas dans la main.

Cryptographie : attaques tous azimuts, SSTIC 2008, Jean-Baptiste Bédrune, Eric Filiol and Fred Raynal

Cet article porte sur les attaques opérationnelles à l'encontre de la cryptographie. Le problème est abordé sous plusieurs angles, l'objectif étant de ne pas recourir aux classiques cryptanalyses. Pour cela, nous nous appuyons sur des erreurs dans l'implémentation ou dans l'utilisation, ou encore sur des fuites d'informations.

Voyage au coeur de la mémoire, SSTIC 2008, Damien Aumaitre

Dans cet article, nous allons parler des utilisations possibles de l'accès à la mémoire physique. Nous vous convions à un voyage au sein des structures composant le noyau de Windows. Nous verrons ensuite quelles sont les informations que nous pouvons extraire à partir d'un dump de la mémoire physique. Nous finirons par quelques démonstrations d'utilisations offensives et défensives de ces informations.

Malicious Cryptography, CanSecWest 2008, Eric Filiol and Fred Raynal

Malware detection is possible only when two conditions are met : the malware techniques used must be analysed in a way or another and the detection software must be updated with the knowledge gained through this analysis. From a simple detection pattern in viral database to complex detection heuristics which is able to detect complex, known malware behaviour, detection software can detect only what they already know. Here, we expose some techniques based on a malicious use of cryptography that nonetheless bad guys could use in order to thwart detection of classical malware that most detection software would successfully use in a normal case.

Comparative analysis of various ransomware virii, Alexandre Gazet, EICAR 2008

The word ransomware and the associated phenomenon appeared near the year 2005. It brought light on a specific class of malwares which demand a payment in exchange for a stolen functionality. Most widespread ransomwares make an intensive use of file encryption as an extortion mean. Basically, they encrypt various files on victim’s hard drives before asking for a ransom to get the files decrypted. Security related media and some antivirus vendors quickly brandished this “new” type of virii as a major threat for computer world. This article tries to investigate the foundation of these threats beyond the phenomenon. In order to get a better understanding of ransomwares, the study relies on a comparative analysis of various ransomware virii. Based on reverse-engineering while not focused on analysis methodology, a technical review is done at different levels: quality of code, malwares’ functionalities and analysis of cryptographic primitives if employed. We also take advantage of our technical review to stand back and to analyse both the business model associated to these ransomwares and the communication that has been made around them.

Small treatise about e-manipulation for honest people, EICAR 2008, François Gaspard and Fred Raynal

Information warfare is nowadays a well-known concept. However, articles are mainly split into two categories. The first one deals with how information must be managed in a system (e.g. a company or a state), in order to achieve information dominance, that is providing more and better information than the others so that they have to follow what is produced. The second one is more on how information can be used as a weapon. Dominance is one goal, but not the only one: deception, intoxication or misinformation are others. In this article, we chose the second approach. The goal when using information as a weapon is to influence a target so that it does what the attacker wants, or to cause effects. We chose also to focus on a specific battlefield: Internet. One particularly important aspect of the Internet is that it is both a container and contents. For instance, web sites are providing articles, but they are also some servers, referenced by search engines. As such, we combined this duality to increase the effects of the operations given as example. We illustrate the operation through examples, where both information is created, but also its container is improved. We show how Search Engine Optimization can be used for information warfare. Combining oriented action techniques and information based techniques make each of them much more efficient. This article shows how information warfare can be conducted on Internet. The goal is to illustrate how very few people can organize an information based attack, targeting either a company or a state for instance.

Metasm, Hack.lu 2007, Yoann Guillot

Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger. It has some advanced features such as live process manipulation, GCC/Microsoft Visual Studio-compatible preprocessor, automatic backtracking in the disassembler (similar to "slicing"), C headers shrinking, linux/windows/remote debugging API interface, a C compiler/decompiler, a gdb-server compatible debugger, and various advanced features. It is written in pure Ruby, with no dependency.

De l'invisibilité des rootkits : application sous Linux, SSTIC 2007, Eric Lacombe, Fred Raynal, Vincent Nicomette

Cet article traite de la conception de rootkits. Nous montrons en quoi ces codes malicieux sont innovants par rapport aux malware habituels comme les virus et chevaux de Troie, ce qui nous permet d'exposer une architecture fonctionnelle des rootkits. Nous proposons également des critères permettant de qualifier et d'évaluer les différents rootkits. Nous avons volontairement abordé le problème dans sa globalité, c'est-à-dire en ne nous restreignant pas seulement au logiciel rootkit, mais aussi à la communication entre l'attaquant et son outil ou les interactions avec le système. Naturellement, nous constatons que les problématiques rencontrées lors de la conception de rootkits sont proches de celles de la stéganographie, mais nous précisons également les limites de cette comparaison. Enfin, nous présentons notre propre rootkit, fonctionnant en mode noyau sous Linux, et plusieurs nouvelles techniques conçues afin d'en accroître la furtivité.