Informative Information for the Uninformed
Current
v9
v8
v7
v6
v5
v4
v3
v2
v1
All
About
Vol 8
»
2007.Sep
Next:
Contents
Contents
A Catalog of
Windows Local Kernel-mode Backdoor Techniques
August, 2007
skape
Skywing
mmiller@hick.org
Skywing@valhallalegends.com
Contents
Introduction
Techniques
Image Patches
Function Prologue Hooking
Disabling SeAccessCheck
Descriptor Tables
IDT
GDT / LDT
SSDT
Model-specific Registers
IA32_SYSENTER_EIP
Page Table Entries
Function Pointers
Import Address Table
KiDebugRoutine
KTHREAD's SuspendApc
Create Thread Notify Routine
Object Type Initializers
PsInvertedFunctionTable
Delayed Procedures
Asynchronous Read Loop
Leaking CS
Prevention & Mitigation
Running Code in Kernel-Mode
PatchGuard versus Rootkits
Acknowledgements
Conclusion
Bibliography
About this document ...