Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

More documents

Recommendations

Info

Better Method…We can replace the callbacks for all object typeswe’re interested inIf we’re interested in finding out every time aprocess or file is opened:Find the FILE_OBJECT object type andreplace the Open callbackFind the EPROCESS object type and replacethe Open callback
Better Method…In the callback, we analyze the event andthen call the original callbackIf we’re just profiling:We record the event and allow it to passIf we’re doing rootkit detection:We check if there are any matching signaturesIf a signature matches, we execute the signatureaction (e.g., report, block, etc.)
Page 2: AgendaBasics about RootkitsCurrent
Page 5 and 6: Rootkit DetectionAt the beginning o
Page 7 and 8: Rootkit Detection Anti-VirusVery ef
Page 9 and 10: Rootkit Detection Host IPSTwo layer
Page 11 and 12: Rootkit DetectionExecution Path Ana
Page 13 and 14: Rootkit Detection DifferentialQuery
Page 15 and 16: Rootkit Technologies IntroductionUs
Page 17 and 18: Rootkit TechnologiesGetting into Ke
Page 19 and 20: Rootkit TechnologiesGetting into Ke
Page 21 and 22: Better Method…IntroductionCan be
Page 23 and 24: Better Method…Windows Executive O
Page 25: Better Method…ExampleDuring syste
Page 29 and 30: Better Method…How ToIf we want to
Page 31 and 32: Detecting Driver LoadingCreating se
Page 33 and 34: Detecting Dispatch HooksEnumerate D
Page 35 and 36: Removing a Rootkit…Still experime
Page 37 and 38: Self-Preservation: Step 1Prevent a
Page 39 and 40: Self-Preservation: Step 3Ensure no
Page 41 and 42: SummaryPresented a method of observ
Page 43 and 44: STKIT- Shok Toolkit JRemember this

Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

Create successful ePaper yourself

Delete template?

Save as template?