[mehrabimail]

hi,

Utilizing “code pullout” technique to bypass memory hooks...

this is what is done by some rootkits like mebroot. does any one knows more about it?
I knew that Srizbi bypass the hooks by using health copy of KiServiceTable, but I can't find nothing about “code pullout”.


thanks

[EP_X0FF]

Well under "code pullout" of whatever means loading clean copy of something and using it code for calls. Nothing new and known since ages. There is Alexander Tereshkin (aka 90210) presentation about it loooong time ago. Just google it, something about "attacking firewalls" - he used clean copy of NDIS.sys

As for using clean copy of ntoskrnl, see Process Hunter source for hystorical example.

[rkhunter]

This is really nice idea in pullout. You can find it sources in phide2 concept, posted in Demo rootkits section.