Flag: Tornado! Hurricane!

OpenRCE Article Comments: FUTo

Article Abstract Since the introduction of FU, the rootkit world has moved away from implementing system hooks to hide their presence. Because of this change in offense, a new defense had to be developed. The new algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of simply detecting the presence of the rootkit's hooks. This paper will discuss an algorithm that is used by both Blacklight and IceSword to detect hidden processes. This paper will also document current weaknesses in the rootkit detection field and introduce a more complete stealth technique implemented as a prototype in FUTo.

Full Article ...    Printer Friendly ...

Article Comments
MohammadHosein Posted: Friday, January 6 2006 07:33.49 CST
informative , i really liked this article and its released with uninformed vol.3 too . Regards

linestyle Posted: Monday, January 9 2006 23:55.54 CST
good article!!,great work,too!:)

Opcode Posted: Tuesday, January 10 2006 21:56.08 CST
Very nice article! :D
It is cool to see my little KdVersionBlock
trick in your article.
Good work.

vf Posted: Wednesday, January 18 2006 10:59.17 CST
I read this in uninformed as well. It's very informative. Glad to see that it's been released over here as well. Excellent article!

hoglund Posted: Wednesday, July 12 2006 00:52.05 CDT
I would suggest that the rootkit-world hasn't actually moved away from system hooks.  Allow me to posit that most systems don't run even the most basic of rootkit detection programs, so even SSDT hooks are still really effective.  But, over the long term your right, there will be a migration.


Add New Comment
Comment:










There are 31,082 total registered users.


Recently Created Topics
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit