Windows Mobile Rootkit - Updated presented at SyScan 2008

by Petr Matousek,

Tags: Security Rootkits Monitoring

Summary : In this talk, the author presents various ways to subvert Windows Embedded CE 6 kernel to hide
certain objects from the user. Architecture and inner mechanisms of the Windows Embedded CE 6
kernel and comparison with Windows CE 5 kernel are discussed first, with a focus on memory
management, process management, syscall handling, and security. Next the author explains the
methods he used for hiding processes, files, and registry keys - mainly direct kernel object
manipulations, hooking of handle- and non-handle-based syscalls not only via apiset modifications
but also using previously not documented ways. The author also discusses ways to detect rootkits
installed on the device. A fully functional prototype rootkits, detection programs and various
monitoring utilities are presented and examined.