How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner

Projects

Publications

People

Downloads

Home

Our Research

Collaboration

Careers

Project Tuva Enhanced Video Player

Watch the Feynman Lectures

> Publications > How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner

How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner

Yi-Min Wang and Doug Beck
February 2005

Some rootkits that hide resources through user-mode API interception support the notion of “root processes” (or “privileged processes”), which are exempt from being hooked for API interception and so can see all hidden entries. In this paper, we use Hacker Defender (1.00 and older) as an example and describe a simple technique to “root” such a rootkit (i.e., to run our program as a root process of the rootkit) using the Strider GhostBuster quick scanner for the enterprise.

PDF file

Details

Type:	TechReport
Number:	MSR-TR-2005-21
Pages:	1
Institution:	Microsoft Research

Related People

Yi-Min Wang

Related Labs

Microsoft Research Redmond