Flag: Tornado! Hurricane!

OpenRCE Article Comments: FUTo

Article Abstract Since the introduction of FU, the rootkit world has moved away from implementing system hooks to hide their presence. Because of this change in offense, a new defense had to be developed. The new algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of simply detecting the presence of the rootkit's hooks. This paper will discuss an algorithm that is used by both Blacklight and IceSword to detect hidden processes. This paper will also document current weaknesses in the rootkit detection field and introduce a more complete stealth technique implemented as a prototype in FUTo.

Full Article ...    Printer Friendly ...

Article Comments
MohammadHosein Posted: Friday, January 6 2006 07:33.49 CST
informative , i really liked this article and its released with uninformed vol.3 too . Regards

linestyle Posted: Monday, January 9 2006 23:55.54 CST
good article!!,great work,too!:)

Opcode Posted: Tuesday, January 10 2006 21:56.08 CST
Very nice article! :D
It is cool to see my little KdVersionBlock
trick in your article.
Good work.

vf Posted: Wednesday, January 18 2006 10:59.17 CST
I read this in uninformed as well. It's very informative. Glad to see that it's been released over here as well. Excellent article!

hoglund Posted: Wednesday, July 12 2006 00:52.05 CDT
I would suggest that the rootkit-world hasn't actually moved away from system hooks.  Allow me to posit that most systems don't run even the most basic of rootkit detection programs, so even SSDT hooks are still really effective.  But, over the long term your right, there will be a migration.


Add New Comment
Comment:










There are 31,040 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit