Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
MS Research has published some papers about Rootkit technologies and especially RootKit detection:
https://research.microsoft.com/rootkit/
This stuff is VERY GOOD to read, and has been positively commented by a lot of people, including Bruce Schneier: https://www.schneier.com/blog/archives/2005/02/ghostbuster.html
The straightforward links to some of these papers are:
Detecting Stealth Software with Strider GhostBuster
https://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=875
GhostBuster tech report
https://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775
Of course I am not the first person to blog about this, there are loads of other people who spotted the thing earlier than I did, and this new has been commented by many people.
But it is very interesting, and I encourage everybody who hasn't done it yet to read it.
Some other comments I spotted about these papers can be found at:
https://windowsir.blogspot.com/2005/02/rootkit-detection-ms-way.html
Also, Sysinternals has released today a Rootkit detector (looks like RootKits are finally getting a lot of attention these days...)
https://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
--edited again at 1:10 am [GMT+1]
now I see that Robert Hensing has been quicker than me, posting even twice about this subject today:
https://blogs.msdn.com/robert_hensing/archive/2005/02/22/378363.aspx
https://blogs.msdn.com/robert_hensing/archive/2005/02/22/378371.aspx