CASE STUDY: Please Review This Before Our Quarterly Meeting
Why They Want Your Workstation
Significant Malware Propagation Techniques
Modern Malware Propagation Techniques
Malware Propagation Injection Vectors
What Malware Does Once It’s Installed
Modifying the Windows Registry
CASE STUDY: The Invisible Rootkit That Steals Your Bank Account Data
Ground Level: x86 Architecture Basics
Instruction Set Architectures and the Operating System
Kernel Mode: The Digital Wild West
The Target: Windows Kernel Components
Functionality by Committee: The Windows Executive (NTOSKRNL.EXE)
The Windows Kernel (NTOSKRNL.EXE)
The Windows Hardware Abstraction Layer (HAL)
Kernel-Mode Driver Architecture
Gross Anatomy: A Skeleton Driver
What Are Kernel-Mode Rootkits?
Challenges Faced by Kernel-Mode Rootkits
FU and FUTo by Jamie Butler, Peter Silberman, and C.H.A.O.S
Shadow Walker by Sherri Sparks and Jamie Butler
Overview of Virtual Machine Technology
Virtual Machine Rootkit Techniques
Rootkits in the Matrix: How Did We Get Here?!
Detecting the Virtual Environment
Escaping the Virtual Environment
Increases in Complexity and Stealth
Part III Prevention Technologies
CASE STUDY: A Wolf in Sheep’s Clothing
Now and Then: The Evolution of Antivirus Technology
Antivirus—Core Features and Techniques
Manual or “On-Demand” Scanning
Real-Time or “On-Access” Scanning
Anomaly/Heuristic-Based Detection
A Critical Look at the Role of Antivirus Technology
Top Performers in the Antivirus Industry
The Future of the Antivirus Industry
Personal Firewall Capabilities
Example Generic Pop-Up Blocker Code
9 Host-Based Intrusion Prevention
Growing Past Intrusion Detection
Anti-Detection Evasion Techniques
HIPS and the Future of Security
System Service Descriptor Table Hooking
Interrupt Descriptor Table Hooks
Direct Kernel Object Manipulation
Legacy DOS or Direct Disk Access Hooking
Software-Based Rootkit Detection
Live Detection vs. Offline Detection
F-Secure’s BlackLight Technology
McAfee Rootkit Detective and RootkitRemover
Commercial Rootkit Detection Tools
Offline Detection Using Memory Analysis: The Evolution ofMemory Forensics
Hardware-Based Rootkit Detection
Security Awareness Training Programs
Baked-In Security (from the Beginning)
Appendix System Integrity Analysis: Building Your Own Rootkit Detector
What Is System Integrity Analysis?
The Two Ps of Integrity Analysis
Pointer Validation: Detecting SSDT Hooks
Patch/Detour Detection in the SSDT
The Two Ps for Detecting IRP Hooks
The Two Ps for Detecting IAT Hooks
Our Third Technique: Detecting DKOM
18.220.16.184