[skeptre]

hi,

I wanted to look more into rootkits, specially kernel mode rootkits which affect the boot sector.

Please suggest resources for me to understand and learn so that I am able to analyse these malwares.

I want to dig deep into rootkits and understand how to analyze them. I found couple of rootkit samples on this forum, need suggestions about how to begin analying them.

Any help appreciated.

[rkhunter]

Are you analyzed malware before?

[rough_spear]

Reversing rootkits is no child's play.Better start of with A..B..C instead of jumping directly to Z.

Regards,


rough_spear. ;)

[skeptre]

i have dealt with malware such as worms, flash based malwares with both static and dynamic analysis.
I have dealt mainly with Ollydbg which is a ring 3 debugger, for Rootkits i get that we need a Ring 0 debugger like WinDbg.

I have downloaded articles from rkhunter, I had a look at posts by rough_spear also about rootkits. I cannot send you messages as I have registered recently.
Please tell me what should i follow for more knowledge on this. I have purchased the book Rootkit Arsenal which I will be reading soon. Apart from this what should
I follow for more information on this.

[rkhunter]

Bootkits/VBR/Boot sectors research was discussed before http://www.kernelmode.info/forum/viewto ... 87&start=0.
Also discussed here http://www.kernelmode.info/forum/viewto ... f=13&t=509.
Look TDL4 research http://www.kernelmode.info/forum/viewto ... ?f=16&t=19.
Also look posts at topic about MaxSS http://www.kernelmode.info/forum/viewto ... f=16&t=596.
TDL MBR dumps research http://www.kernelmode.info/forum/viewto ... =13&t=1334.
Mayachok.2/Cidox also infects VBR, look useful topic http://www.kernelmode.info/forum/viewto ... f=16&t=981.
Also look Xylitol posts about MBR ransoms http://xylibox.blogspot.com/2011/07/how ... mware.html.
MBR ransoms also discussed here http://www.kernelmode.info/forum/viewto ... f=16&t=507.

[skeptre]

wonderful ..... thanks a lot for sharing =)
i will surely read all of these =)

[rkhunter]

If you have specific question be free for asked it. Best practice can be only a practice :)