Re: redpill vs. Microsoft rootkit...

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joanna Rutkowska wrote:

> I find it quite funny that my little redpill, which many people
> used to consider as malicious, can now be used to detect advanced
> rootkits, like the one from MS Research:
>
> http://www.eecs.umich.edu/Rio/papers/king06.pdf
>
> It's interesting how some technology, which was invented as
> offensive or defensive at some point in time, within a next few
> years starts being used in the exactly opposite way...

I agree - we've started putting more and more defensive technology in
CANVAS. We started with something very similar to redpill, but we now
have memory grabber tools, and other things that I would have
previously thought of as "defensive". But part of the fun of having
these frameworks is you can start really loading them down with
features you otherwise would have skipped - and a rootkit finder is
really useful when you go into a box at first. Don't want to mess up
someone else's crappy rootkit, ya know?

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEFw/kB8JNm+PA+iURAv80AJoDlUWUluP7vuJ8edvFh0/d99D4uwCggUq4
rtaJunRce0nvBAZt0iRgD+M=
=e43P
-----END PGP SIGNATURE-----