Rootkits are a type of stealth malware that are dedicated to hiding the attacker’s presence on a compromised system. This class will focus on understanding how rootkits work and what tools can be used to help find them.
This will be a very hands-on class where we talk about specific techniques which rootkits use and then do labs where we show how a proof of concept rootkit is able to hide things from a defender. Example techniques include:
- Trojan binaries
- Inline hooks
- Import Address Table (IAT) hooking
- System Call Table/System Service Descriptor Table (SSDT) hooking
- Interrupt Descriptor Table (IDT) hooking
- Direct Kernel Object Manipulation (DKOM)
- Kernel Object Hooking (KOH)
- IO Request Packet (IRP) filtering
- Hiding files/processes/open ports
- Compromising the Master Boot Record (MBR) to install a “bootkit”
The class will help the student learn which tools to use to look for rootkits on Windows systems, how to evaluate the breadth of a tool’s detection capabilities, and how to interpret tool results.
Learning Objectives
- Gain a deep understanding of the common techniques which stealth malware use across all operating systems.
- Get hands on experience with proof of concept rootkit techniques.
- Understand which tools are appropriate for finding which types of rootkits.