Inside Windows Rootkits

By Chad Tilbury on September 4, 2013 in Malware, Memory Forensics — Leave a comment

Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant.  About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard).  Few resources have explained rootkit internals so simply.  As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe:

Figure 2, Inside Windows Rootkits by Chris Ries

Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries

The original PDF is a little hard to find these days, but here are a couple of links:

http://www.scribd.com/doc/74418240/Chris-Ries-Inside-Windows-Rootkits

http://thehackademy.net/madchat/vxdevl/library/Inside%20Windows%20Rootkits.pdf

 

No Comments

Be the first to start the conversation.

Leave a Reply