Nytro Posted September 8, 2013 Report Posted September 8, 2013 Inside Windows RootkitsBy Chad Tilbury on September 4, 2013Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant. About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard). Few resources have explained rootkit internals so simply. As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe: Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries The original PDF is a little hard to find these days, but here are a couple of links: Chris Ries- Inside Windows Rootkits http://thehackademy.net/madchat/vxdevl/library/Inside%20Windows%20Rootkits.pdfSursa: Inside Windows Rootkits | Forensic Methods Quote
