How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner

Some rootkits that hide resources through user-mode API interception support the notion of “root processes” (or “privileged processes”), which are exempt from being hooked for API interception and so can see all hidden entries. In this paper, we use Hacker Defender (1.00 and older) as an example and describe a simple technique to “root” such a rootkit (i.e., to run our program as a root process of the rootkit) using the Strider GhostBuster quick scanner for the enterprise.

tr-2005-21.pdf
PDF file

Details

TypeTechReport
NumberMSR-TR-2005-21
Pages1
InstitutionMicrosoft Research
> Publications > How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner