Profiling Rootkits And Malware Through Executive Objects presented at SyScan 2005

by Matthew ( Shok ) Conover,

Tags: Security Rootkits Malware

Summary : This talk will focus on a new method to profile user-mode and kernel-mode activity by hooking
executive objects in the Windows kernel. It is a nice alternative to traditional API hooking
and can be used to detect all current rootkits. Virtually all important operations in Windows
are associated with an executive object--be it drivers, devices, files, sockets, registry keys,
etc. By hooking these objects, we can observe the behavior of the kernel or user-mode application
at a very low level, making it far more difficult for malware/rootkits to hide.