Exploiting the Rootkit Paradox with Windows Memory Analysis

13 years 4 months ago
Exploiting the Rootkit Paradox with Windows Memory Analysis
Rootkits are malicious programs that silently subvert an operating system to hide an intruder's activities. Although there are a number of tools designed to detect rootkits, these programs are competing with the rootkit for system resources and allowing the rootkit to actively evade detection. By taking a memory image of the system, a forensic examiner can conduct a more thorough search for rootkits and even without discovering one directly, infer the presence of one. This paper explores how an examiner can create such a memory image and use the inherent properties of rootkits to find them in those memory images. Background Rootkits are programs designed to hide processes, files, and activity from the operating system and legitimate users of a computer. Normally used only by intruders, they subvert the operating system and prevent it from functioning normally. The rootkit can modify, delete, or insert data into any of the operating system's processes, and as a result, have c...
Jesse D. Kornblum
Added 12 Dec 2010
Updated 12 Dec 2010
Type Journal
Year 2006
Where IJDE
Authors Jesse D. Kornblum
Comments (0)