Detecting rootkits made easy

News by Ava Fedorov

“Detecting a RoP is actually quite easy,” Shane Macaulay writes cheerfully in his recent post on the IOActive Labs Research blog.

Referencing a research article by Jesse Kornblum of Kyrus technology and a BSOD tutorial, Macaulay not only assures readers that any rootkit can be detected, he also thoroughly outlines the background and methodology of the technique as well as the steps to perform the task.

When addressing the initial problem of whether or not it is possible to find every potential vulnerability or threat within a system, Macaulay quips: “Sadly, the short answer is no, it's not. Strangely, the longer is yes, it is.” 

He then goes onto explain how using a hypervisor's “unique ability” to consistently uncover the physical memory of an unadulterated system enables a high-assurance process detection, that, when combined with integrity checking, is able to detect virtually any rootkit. The steps include detection techniques such as finding processes by page table detection, process-based page table detection, physical memory page and pte format check. Macaulay also addresses shadow walker tricks, hardware rootkits and everything “weird” in between.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews