Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun


An obvious method of preventing detection from memory scanning would be to use what is commonly referred to as the Shadow Walker[4] memory subversion technique. If virtual memory is unable to be read then of course a memory scan will skip over this area of memory. In the context of pool memory, however, this may not be an easy attack since it may create a situation where the pool appears corrupted which could lead to crashes or system bugchecks. Of course, attacking a function like nt!MmProbeAndLockPages or IoAllocateMdl globally or specifically in the import address table of the detector itself would work.

For memory signatures based on constant or predicable values it may be feasible to either zero out or change these fields and not disturb system operation. For example take the author's enhancements to the FUTo rootkit where it is seen that the EPROCESS->UniqueProcessId can be safely cleared to 0 or previously mentioned rootkit.com article titled "Please don't greap me!" which clears DRIVER_OBJECT->DriverName and its associated buffer in order to defeat MODGREPPER.

For the case of some pointer signatures a simple binary comparison may not be enough to validate it. Take the above example and using nt!ObpDeleteObjectType. This could be defeated by overwriting pTypeObject->TypeInfo.DeleteProcedure to point to a simple jump trampoline which is allocated elsewhere which simple jumps back to nt!ObpDeleteObjectType.