Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Static analysis of Rootkits

Topic created on: June 3, 2011 03:54 CDT by RootkitResearch .

Hi All,

By googling I have collected many links about Rootkit analysis. Though they are very comprehensive and detailed, I want to know is there any articles or posts that talk about static analysis of rootkits from a very basic level. For example, how to start the analysis when only a sys file is available and exe is not available and how to perform step-by-step dynamic analysis of rootkits.

  NirIzr     June 24, 2011 17:51.13 CDT
a sys file is a library PE with a different extension..
it exports functions and has an entry point just like any other PE.. have you tried opening it with IDA?

  Assarbad     July 4, 2011 15:10.27 CDT
> NirIzr: a sys file is a library PE with a different extension..
> it exports functions and has an entry point just like any other PE.. have you tried opening it with IDA?
I think his question was more about it in general. Though I don't see much of a difference to other reversing, even when obfuscation or runtime packing is used.

  NirIzr     July 5, 2011 13:55.02 CDT
you have to consider doing low-level interactions with the CPU or maybe other hardware (that actually depends on the type of driver the rootkit claims to be..) also you should get to know how developing drivers work - there are plenty of books about that, and consider stuff other devices/your cpu may do by actions the rootkit did (it in some cases be non-trivial actions, like writing to some address\register when something happens without your knowledge..)

Note: Registration is required to post to the forums.

There are 29,879 total registered users.


Recently Created Topics
PaiMei stalker modul...
May/19
Attach to program us...
May/13
IDA PRO how to make ...
May/12
FACT: OpenRCE is dead.
May/08
Int 3 anti debug?
May/05
help needed - Beginn...
May/03
Attaching IDA Pro to...
Apr/27
File type
Apr/21
Debugging iphone app...
Apr/15
Attaching
Apr/12


Recent Forum Posts
Ollydbg 2.0 - Plugin...
openrce...
IDA PRO how to make ...
codeinject
FACT: OpenRCE is dead.
codeinject
IDA Resource Viewer ...
r2x64
FACT: OpenRCE is dead.
djnemo
FACT: OpenRCE is dead.
codeinject
FACT: OpenRCE is dead.
pedram
help needed - Beginn...
araujo
Attaching IDA Pro to...
codeinject
Int 3 anti debug?
codeinject


Recent Blog Entries
sweetyss
May/18
Adam Wainwright continues t...

lowpriority
Apr/13
OllyMigrate Plugin for Olly...

everdox
Mar/08
2 anti-trace mechanisms spe...

everdox
Mar/07
Advanced debugging techniques

everdox
Mar/06
Branch tracing and LBR acce...

More ...


Recent Blog Comments
clarisonic on:
Apr/03
New version of Ollydbg!

clarisonic on:
Apr/03
New version of Ollydbg!

trackerx90 on:
Mar/04
SuppressDebugMsg As Anti-De...

coachfactory on:
Feb/25
Portable Executable Format ...

coachfactory on:
Feb/25
A new Anti-Olly trick.

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit