Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: Process Objects
Up: Detecting Executive Objects
Previous: Validating Pool Block Information
Contents
Object Specific SignaturesSo far a few useful signatures have been shown which apply to all executive objects and could be used to identify them in memory. For some cases these may be enough to be effective. However, in other cases, it may be necessary to examine information within the object's body itself in order to identify them. It should be noted that some objects of interest may be clearly defined and documented while others may not be. Furthermore, executive object definitions may vary between OS versions. The following subsections briefly outline obvious memory signatures for a few objects which generally are of interest when identifying rootkit-like behavior. A few examples of object-specific signatures will also be discussed, some of which have been used in previous work.
Subsections |