RAIDE: Rootkit Analysis Identification Elimination v1.0 presented at BlackhatUSA 2006

by Jamie Butler, Peter Silberman,

Summary : In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, its time for another run at rootkit detection.
This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for todays threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDEs unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions.
The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all.