Dailydave mailing list archives
Re: HITB trip report
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Mon, 03 Oct 2005 22:16:02 +0200
Dave Aitel wrote:
Joanna Rutkowska's talk on Windows kernel rootkit finding was good - her basic hypothesis (which I agree with) is that if you enumerate all the places in the kernel people can hook, you can write a reliable rootkit detector. My stance is that there's just not enough entropy in the kernel to truly hide in.
basically Dave claims that it is possible to write custom backdoors which would hijack code pointers (which are located in data section so we cannot check their integrity with a tool like SVV) in a *specific* applications (like a web server process or so) and will act as a sniffer, because the code pointer would point to a function processing the packets received from the network... I agree with his point of view, with the following restrictions however: 1) it may be extremely difficult to do it in an application written in C (we need to be quite lucky so that application we're exploiting actually calls the packet processing function via a code pointer) 2) in case of application written in C++ it should be easy to write program for checking the integrity of VPTR tables (check if all pointers point to code located in a valid code section). 3) this is definitely a good way for writing a network/application sniffer, but is probably not enough to implement for example a key stroke logger... And it is definitely not enough to implement classic rootkit functionality like files, registry or process hiding... On the other hand, sometimes it may be not necessary for the malware to survive the reboot and then we don't need to worry about files/registry hiding... Anyway, it would be interesting to see if anybody actually make use of this idea in the wild (or just in a working proof-of-concept) so I could add appropriate checks into the OMCD document ;)
Overall - professionally organized, well put-together conference. Hotel was 5 star...and it showed. Conference is largely under-priced, even including plane ticket price.
Yes, the conference was really great :) regards, joanna.
Current thread:
- HITB trip report Dave Aitel (Oct 03)
- Re: HITB trip report Joanna Rutkowska (Oct 03)
- Re: HITB trip report mel (Oct 03)
- Re: HITB trip report I)ruid (Oct 03)