How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner

  • Yi-Min Wang ,
  • Doug Beck

MSR-TR-2005-21 |

Some rootkits that hide resources through user-mode API interception support the notion of “root processes” (or “privileged processes”), which are exempt from being hooked for API interception and so can see all hidden entries. In this paper, we use Hacker Defender (1.00 and older) as an example and describe a simple technique to “root” such a rootkit (i.e., to run our program as a root process of the rootkit) using the Strider GhostBuster quick scanner for the enterprise.