[a_d_13]

Hello,

A new paper released by Frank Boldewin, about detecting rootkits with WinDbg. Get it here:
http://www.reconstructer.org/papers/Hun ... Windbg.pdf

Thanks,
--AD

[EreTIk]

KDAR: Scripts set for automatic search of suspicious "activity" using WinDbg
http://kdar.codeplex.com/
Parse and analysis kernel dumps: search of hook and other rootkit-activity

[Meriadoc]

Yes I was just reading this at OC,

Kernelcallbacks script shown in the above : http://www.reconstructer.org/code/Windb ... indx86.rar

[Alex]

Thanks Frank for the paper and for the info about all there scripts (also thanks to EreTIk) - I will check them all!

There are two things in this paper wich are not clear for me:

- TDL4 rootkit hooks the ATAPI driver as well, but in a lower level way than its precedessor

- As more and more tools were easily able to dump its files even from usermode via IOCTL_SCSI_PASS_THROUGH_DIRECT calls directly to the port device, TDL4 changed the hook method to DriverStartIO

- TDL3 in the 2.7 version also hooks DriverStartIo to bypass SPTI, so it isn't new feature implemented in TDL4, isn't it?
- Hooking of DriverStartIo doesn't prevent from dumping rootkit's files.

p.s. There is a mistake on the last page in the nickname of our friend.

Regards,
Alex