Foreword

Abstract:

As rootkits continue to evolve and become more advanced, methods that can be used to detect hidden objects must also evolve. For example, relying on system provided APIs to enumerate maintained lists is no longer enough to provide effective cross-view detection. To that point, scanning virtual memory for object signatures has been shown to provide useful, but limited, results. The following paper outlines the theory and practice behind scanning memory for hidden objects. This method relies upon the ability to safely reference the Windows system virtual address space and also depends upon the building and locating effective memory signatures. Using this method as a base, suggestions are made as to what actions might be performed once objects are detected. The paper also provides a simple example of how object-independent signatures can be built and used to detect several different kernel objects on all versions of Windows NT+. Due to time constraints, the source code associated with this paper will be made publicly available in the near future.

Thanks:

Thanks to skape, Peter, and the rest of the uninformed hooligans; you guys and gals rock!

Disclaimer:

The author is not responsible for how the papers contents are used or interpreted. Some information may be inaccurate or incorrect. If the reader feels any information is incorrect or has not been properly credited please contact the author so corrections can be made. All content refers to the Windows XP Service Pack 2 platform unless otherwise noted.