Professional Documents
Culture Documents
Windbg v1.1
Frank Boldewin
Scope of this Talk
3
Finding SSDT hooks
4
Finding Shadow SSDT hooks
!process 0 0 winlogon.exe
PROCESS 81ebf6f8 SessionId: .....
.process /p 81ebf6f8
.reload
5
Finding Shadow SSDT hooks
6
Finding Shadow SSDT hooks
7
Runtime2 Rootkit – Finding SSDT/Shadow SSDT hooks with a
Windbg script
8
Rustock.B Rootkit – SYSENTER_EIP hook
9
Rustock.B Rootkit – SYSENTER_EIP hook
10
Rustock.B Rootkit – SYSENTER_EIP hook
11
Rustock.B Rootkit – Finding hidden registry entries
12
Rustock.B Rootkit – Finding hidden registry entries
13
Rustock.B Rootkit – Finding hidden registry entries
14
Rustock.B Rootkit – Finding hidden registry entries
15
Rustock.B Rootkit – Finding the Hidden Registry Entry
16
Rustock.B Rootkit – pIofCallDriver Hook
17
Rustock.B Rootkit – IDT hooks
18
Rustock.B Rootkit – INT 2Eh
19
Alipop Rootkit – GDT Callgate
20
ALIPOP Rootkit – GDT Callgate
21
ALIPOP Rootkit – GDT Callgate
22
TDL3 Rootkit – ATAPI IRP hooks
23
TDL3 Rootkit – ATAPI IRP hooks
24
TDL3 Rootkit – ATAPI IRP hooks
25
TDL3 Rootkit – Shared Memory structure (Kernel-/User mode)
26
TDL3 Rootkit – Shared Memory structure (Kernel-/User mode)
27
TDL3 Rootkit – Shared Memory structure (Kernel-/User mode)
28
TDL3 Rootkit – TDL mini FS (file system)
29
TDL3 Rootkit – Traces in the system worker threads
30
TDL3 Rootkit – Traces in the system worker threads
31
TDL4 Rootkit – Finding TDL4 with its invalid device object
32
TDL4 Rootkit – ATAPI DriverStartIO hook
33
TDL4 Rootkit – ATAPI DriverStartIO hook
34
TDL4 Rootkit – Finding the Kernel Callback with a Windbg script
35
TDL4 Rootkit – Dropper dumping after TDL4 infection (before
reboot)
36
TDL4 Rootkit – Dumping injected user mode payload
37
TDL4 Rootkit – Finding inline hooks in user mode payload
38
Stuxnet Rootkit – IoRehisterFsRegistrationChange
39
Stuxnet Rootkit – IoRegisterFsRegistrationChange
40
Questions?
41