Microsoft Research

Strider GhostBuster Rootkit Detection
Last Updated: January 28, 2010

The Strider Family: [Gatekeeper] [GhostBuster] [HoneyMonkey] [URL Tracer] [Search Ranger]
[Security Tracer] [Troubleshooter] [Flight Data Recorder] [Patch Impact Analyzer]
See Strider at Assembling an All-Star Team of Research Talent and Imagining What Comes Next
[[Home Networking]] [[ISRC]] [[Yi-Min Wang]] [[Strider Foundation]]

Strider GhostBuster detects API-hiding rootkits by doing a "Cross-View Diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. Bruce Schneier called it "Simple. Clever. Elegant."

In practice, there are three versions of Strider GhostBusters:

  1. WinPE GhostBuster:

  2. Inside-the-box GhostBuster

  3. User-Mode GhostBuster



Related Strider Cybersecurity Projects

Publications (see the up-to-date list)

Contact Us Terms of Use Trademarks Privacy Statement ©2010 Microsoft Corporation. All rights reserved.Microsoft