A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #17701  by mehrabimail
 Sun Jan 13, 2013 2:39 pm
hi,

Utilizing “code pullout” technique to bypass memory hooks...

this is what is done by some rootkits like mebroot. does any one knows more about it?
I knew that Srizbi bypass the hooks by using health copy of KiServiceTable, but I can't find nothing about “code pullout”.


thanks
 #17702  by EP_X0FF
 Sun Jan 13, 2013 3:27 pm
Well under "code pullout" of whatever means loading clean copy of something and using it code for calls. Nothing new and known since ages. There is Alexander Tereshkin (aka 90210) presentation about it loooong time ago. Just google it, something about "attacking firewalls" - he used clean copy of NDIS.sys

As for using clean copy of ntoskrnl, see Process Hunter source for hystorical example.
 #17861  by rkhunter
 Fri Jan 25, 2013 6:02 pm
This is really nice idea in pullout. You can find it sources in phide2 concept, posted in Demo rootkits section.