Archives For September 2013

Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant.  About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard).  Few resources have explained rootkit internals so simply.  As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe:

Figure 2, Inside Windows Rootkits by Chris Ries

Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries

The original PDF is a little hard to find these days, but here are a couple of links: