Dailydave mailing list archives
Re: Thoughts about Cross-View based Rootkit Detection
From: Dave Aitel <dave () immunitysec com>
Date: Sun, 19 Jun 2005 09:15:35 -0400
I'm not sure exactly what is meant by "cross view" in this context. Is there a simple dictionary for us non-rootkit developers to follow? Is it any detector that follows a "low level" view with a "high level" view and then does a compare?
Just out of curiosity, do any of the win32 rootkits out there move their files out of the way? I.E. if I'm in the kernel, I can watch you read sectors, and if I see a sector that looks like me, I can move myself to an earlier sector, right? Kinda core-wars-esq, if you've ever played that game.
I still do like the idea of hiding in plain sight. There's just so much entropy on a normal system - you can replace explorer.exe and be pretty happy.
-dave Joanna Rutkowska wrote:
Recently, cross-view based approach to rootkit detection, especially in regards to hidden files and registry keys, became very popular. This is mostly because of the recent release of the tools like Rootkit Revealer and Black Light as well as Microsoft research project, with a friendly name GhostBuster. Many people started to think that it is going to be the ultimate way for detecting all rootkits and system compromises in general... So, I decided to put some of my thoughts about this into a short article, which can be found here: http://invisiblethings.org/papers/crossview_detection_thoughts.pdf Best Regards, joanna. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Thoughts about Cross-View based Rootkit Detection Joanna Rutkowska (Jun 19)
- Re: Thoughts about Cross-View based Rootkit Detection Dave Aitel (Jun 19)
- fragging with rootkit detectors? Rodney Thayer (Jun 19)
- Re: fragging with rootkit detectors? Mark (Jun 20)
- fragging with rootkit detectors? Rodney Thayer (Jun 19)
- Re: Thoughts about Cross-View based Rootkit Detection Dave Aitel (Jun 19)