Microsoft Research


Strider GhostBuster Rootkit Detection
Last Updated: January 28, 2010

The Strider Family: [Gatekeeper] [GhostBuster] [HoneyMonkey] [URL Tracer] [Search Ranger]
[Security Tracer] [Troubleshooter] [Flight Data Recorder] [Patch Impact Analyzer]
See Strider at Assembling an All-Star Team of Research Talent and Imagining What Comes Next
[[Home Networking]] [[ISRC]] [[Yi-Min Wang]] [[Strider Foundation]]

Strider GhostBuster detects API-hiding rootkits by doing a "Cross-View Diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. Bruce Schneier called it "Simple. Clever. Elegant."

In practice, there are three versions of Strider GhostBusters:

  1. WinPE GhostBuster:

  2. Inside-the-box GhostBuster

  3. User-Mode GhostBuster

Tools

Links

Related Strider Cybersecurity Projects

 
Publications (see the up-to-date list)


Contact Us Terms of Use Trademarks Privacy Statement ©2010 Microsoft Corporation. All rights reserved.Microsoft