Completed
Intro
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Kernel Mode Rootkits
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 BLACK HAT WINDOWS 2000 SECURITY
- 3 Structure of NT System Module
- 4 A Driver can register multiple 'Device Objects
- 5 Filtering data using device-chains
- 6 Many techniques No Devices Required
- 7 Hooking System-Calls in the Syscall Table
- 8 Placing the System Call Hook
- 9 Hiding Files and Directories
- 10 Hiding Processes, Threads, and Drivers via 'snip'
- 11 Hooking Software Interrupts
- 12 Registering a Network Sniffer
- 13 Making it so that the driver cannot be unloaded
- 14 What needs to be done to support dynamic unloading
- 15 A bit-better driver query
- 16 Watch for memory reads that would reveal the rootkit dev/physmem, etc.
- 17 Hide or redirect file-access to the SYS file
- 18 Runtime Kernel Patching
- 19 Search Memory for Process Structures and Alter the Security Descriptor
- 20 Altering CODE Hot-Patching Code Addresses
- 21 Make a function-call do nothing, simple RET patch
- 22 Loading a Module via kmem
- 23 Write code into leftover space around page boundary or in unused section within PE file
- 24 Kernel Buffer-Overflows
- 25 Exception Handling or graceful shutdown or disabling of driver
- 26 Difficulty for drivers that have Callbacks to IRP completion routines, other drivers, etc.
- 27 Integrity Check Modules
- 28 Load Protection with a Password
- 29 Intercept LoadModule and log the names (audit)
- 30 Kernel-space 'Virus'-scanning
- 31 Watch the SYSCALL tables