Hi there,
a friend drew my attention to this interesting talk about the Windows crash dump path.
Has anybody already some experience an the aforementioned topic?
a friend drew my attention to this interesting talk about the Windows crash dump path.
I/O, You own: Regaining control of your disk in the presence of bootkits (Aaron LeMasters)My friend also said he will try to release something to public (as far as his company allowed him to do). Probably a part of the code or a little tool. That would be great!
Master Boot Record based rootkits (MBR rootkits, or bootkits for short)have existed for decades but are more recently gaining widespread attention with the growing deployment of nasty bootkits such as TDL4 and Popureb. The most advanced versions of these rootkits hook the normal storage device stack (i.e., "normal I/O path") at the lowest possible level in order to hide the infected MBR and malicious components: the port and miniport drivers. This presentation will introduce a novel technique to read/write to disk using an alternate I/O path provided by the operating system: the crash dump I/O path. This poorly documented crash dump path represents a pristine, untargeted I/O path to disk, effectively defeating all known I/O-hooking rootkits.
In addition to providing the attendee with original research and a new methodology for defeating bootkits, this presentation will offer extensive insight into the poorly-understood crash dump mechanism used by Windows. This research is a result of weeks of debugging and reverse engineering various disk drivers and operating system core features. This presentation will distill all of those details into simple important facts for the attendee's consideration.
Source: http://www.syscan.org/index.php/sg/program
Has anybody already some experience an the aforementioned topic?
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com