Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

More documents

Recommendations

Info

Rootkit DetectionProblems with the EPALarge performance degradation tracingthrough all system callsDifficult to implement correctly (many waysto disable):Overwriting the trap h<strong>and</strong>ler in the IDTOverwriting EFLAGS.TF in the TSSOverwriting EFLAGS.TF via POPF
Rootkit Detection DifferentialQuery same information <strong>from</strong> toplocations:First use user-mode APIsThen use low-level methods (looking atthe registry file, NTFS directly, etc.)If these differ, something is hidinginformation
Page 2: AgendaBasics about RootkitsCurrent
Page 5 and 6: Rootkit DetectionAt the beginning o
Page 7 and 8: Rootkit Detection Anti-VirusVery ef
Page 9 and 10: Rootkit Detection Host IPSTwo layer
Page 11: Rootkit DetectionExecution Path Ana
Page 15 and 16: Rootkit Technologies IntroductionUs
Page 17 and 18: Rootkit TechnologiesGetting into Ke
Page 19 and 20: Rootkit TechnologiesGetting into Ke
Page 21 and 22: Better Method…IntroductionCan be
Page 23 and 24: Better Method…Windows Executive O
Page 25 and 26: Better Method…ExampleDuring syste
Page 27 and 28: Better Method…In the callback, we
Page 29 and 30: Better Method…How ToIf we want to
Page 31 and 32: Detecting Driver LoadingCreating se
Page 33 and 34: Detecting Dispatch HooksEnumerate D
Page 35 and 36: Removing a Rootkit…Still experime
Page 37 and 38: Self-Preservation: Step 1Prevent a
Page 39 and 40: Self-Preservation: Step 3Ensure no
Page 41 and 42: SummaryPresented a method of observ
Page 43 and 44: STKIT- Shok Toolkit JRemember this

Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?