Kernel Mode Rootkits

Kernel Mode Rootkits

Black Hat via YouTube Direct link

Intro

1 of 31

1 of 31

Intro

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Kernel Mode Rootkits

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 BLACK HAT WINDOWS 2000 SECURITY
  3. 3 Structure of NT System Module
  4. 4 A Driver can register multiple 'Device Objects
  5. 5 Filtering data using device-chains
  6. 6 Many techniques No Devices Required
  7. 7 Hooking System-Calls in the Syscall Table
  8. 8 Placing the System Call Hook
  9. 9 Hiding Files and Directories
  10. 10 Hiding Processes, Threads, and Drivers via 'snip'
  11. 11 Hooking Software Interrupts
  12. 12 Registering a Network Sniffer
  13. 13 Making it so that the driver cannot be unloaded
  14. 14 What needs to be done to support dynamic unloading
  15. 15 A bit-better driver query
  16. 16 Watch for memory reads that would reveal the rootkit dev/physmem, etc.
  17. 17 Hide or redirect file-access to the SYS file
  18. 18 Runtime Kernel Patching
  19. 19 Search Memory for Process Structures and Alter the Security Descriptor
  20. 20 Altering CODE Hot-Patching Code Addresses
  21. 21 Make a function-call do nothing, simple RET patch
  22. 22 Loading a Module via kmem
  23. 23 Write code into leftover space around page boundary or in unused section within PE file
  24. 24 Kernel Buffer-Overflows
  25. 25 Exception Handling or graceful shutdown or disabling of driver
  26. 26 Difficulty for drivers that have Callbacks to IRP completion routines, other drivers, etc.
  27. 27 Integrity Check Modules
  28. 28 Load Protection with a Password
  29. 29 Intercept LoadModule and log the names (audit)
  30. 30 Kernel-space 'Virus'-scanning
  31. 31 Watch the SYSCALL tables

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.