I want to write an application that i can detect if the TDL rootkit is active on the current machine ... any ideas? I tried getting the MBR or listing the drivers but the driver intercepts user mode functions and serves me a clean copy of them.Are there any other methods ?
A forum for reverse engineering, OS internals and malware analysis
Did you hear about low level disk I/O? http://www.kernelmode.info/forum/viewto ... 29&start=0
A simpler method of detecting TDL doesn't exist ?
For getting MBR or infected driver from live working system seems nope.
opc0de wrote:I want to write an application that i can detect if the TDL rootkit is active on the current machine ... any ideas? I tried getting the MBR or listing the drivers but the driver intercepts user mode functions and serves me a clean copy of them.Are there any other methods ?Which TDL? There are numerous of them and all them different.
Ring0 - the source of inspiration
Hello
That isn't simple as that. This is TDL, the most advanced rooktkit ever (with max++)
That isn't simple as that. This is TDL, the most advanced rooktkit ever (with max++)
