Object Specific Signatures

So far a few useful signatures have been shown which apply to all executive objects and could be used to identify them in memory. For some cases these may be enough to be effective. However, in other cases, it may be necessary to examine information within the object's body itself in order to identify them. It should be noted that some objects of interest may be clearly defined and documented while others may not be. Furthermore, executive object definitions may vary between OS versions. The following subsections briefly outline obvious memory signatures for a few objects which generally are of interest when identifying rootkit-like behavior. A few examples of object-specific signatures will also be discussed, some of which have been used in previous work.

• Process Objects
• Thread Objects
• Driver Objects
• Device Objects
• Miscellaneous