Using Undocumented CPU Behaviour to See into Kernel Mode and ...
PowerPoint Presentationdownload.sysinternals.com/files/SysinternalsMalwareCleaning.pdf · User Mode...
77
Transcript of PowerPoint Presentationdownload.sysinternals.com/files/SysinternalsMalwareCleaning.pdf · User Mode...
sigcheck -e -u -s c:\
listdlls -u
strings <file>
http://www.e-markettop.com/
http://blogs.technet.com/b/markrussinovich/archive/2011/03/14/3412374.aspx
User Mode
Kernel Mode
File System
Filter Registry Callback
Kernel
Callouts
Process Monitor UI
Process Monitor Driver TCP/IP Driver ETW
events
Function 2
Function 1
Function 3
Function 3 Function 2 Function 1
Stack Display
Filter Manager
Virus Scanner
Kernel
System Library
System Library
SuperFetch
(root cause)
Kernel Mode
User Mode
Note: user stack capture isn’t supported on 64-bit versions of Windows XP/Server 2003
“Category is Write”
http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx
http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx
http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx
www.zerodaythebook.com
http://www.youtube.com/watch?v=ucyMBYg9RWU
http://technet.microsoft.com/en-us/sysinternals/hh290819
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf
