Completed
A Driver can register multiple 'Device Objects
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Kernel Mode Rootkits
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 BLACK HAT WINDOWS 2000 SECURITY
- 3 Structure of NT System Module
- 4 A Driver can register multiple 'Device Objects
- 5 Filtering data using device-chains
- 6 Many techniques No Devices Required
- 7 Hooking System-Calls in the Syscall Table
- 8 Placing the System Call Hook
- 9 Hiding Files and Directories
- 10 Hiding Processes, Threads, and Drivers via 'snip'
- 11 Hooking Software Interrupts
- 12 Registering a Network Sniffer
- 13 Making it so that the driver cannot be unloaded
- 14 What needs to be done to support dynamic unloading
- 15 A bit-better driver query
- 16 Watch for memory reads that would reveal the rootkit dev/physmem, etc.
- 17 Hide or redirect file-access to the SYS file
- 18 Runtime Kernel Patching
- 19 Search Memory for Process Structures and Alter the Security Descriptor
- 20 Altering CODE Hot-Patching Code Addresses
- 21 Make a function-call do nothing, simple RET patch
- 22 Loading a Module via kmem
- 23 Write code into leftover space around page boundary or in unused section within PE file
- 24 Kernel Buffer-Overflows
- 25 Exception Handling or graceful shutdown or disabling of driver
- 26 Difficulty for drivers that have Callbacks to IRP completion routines, other drivers, etc.
- 27 Integrity Check Modules
- 28 Load Protection with a Password
- 29 Intercept LoadModule and log the names (audit)
- 30 Kernel-space 'Virus'-scanning
- 31 Watch the SYSCALL tables