Tuesday, September 30, 2008

Rootkit Detection

I received a comment to an older post from James (thanks, James!) yesterday who pointed me toward a very interesting article on Rootkit.com by Diablo. Diablo's article describes using the Windows CSRSS process as a built-in rootkit detection facility, and even provides some proof-of-concept code.

This is definitely worth a look, at least to get an understanding of the technique that Diablo is proposing. I've used RootkitRevealer and GMER as my primary tools for attempting to detect the use of rootkits on live systems, usually following some forensic analysis of the acquired image (feel free to ask me about this technique - but don't be afraid to share yours, as well).

Resources
How many csrss.exe process should be running in vista?
MS07-021
Default Processes in Windows 2000

No comments: