rites:
Microsoft Vista has introduced new implementation for system restore feature.But does this new implementation really make it more reliable?
On 19th,July 2008, I have presented a pure user mode rootkit to hide its file and registry keys from Vista system restore in HIT(hackers in Taiwan) conferrence, which means the Vista system resotre will not help user to restore the given rootkit's file and registry settings although other normal files are restored.
What may be interesting is the theory can also be used for malware to infect system without any popup of modern HIPS thru system restore.
The theory is almost like a "hook" technology in rootkit domain, it injects the system restore flow and provide a fake restore impact to user.Regarding another way -- "DKOM" trick against the system restore, I also have some research results, and might introduce it somewhere later.
Please refer to the following link for the slides : ( it also include protection and detection technology)
http://www.rootkit.com/vault/cardmagic/HIT2008_CardMagic.ppt
On 19th,July 2008, I have presented a pure user mode rootkit to hide its file and registry keys from Vista system restore in HIT(hackers in Taiwan) conferrence, which means the Vista system resotre will not help user to restore the given rootkit's file and registry settings although other normal files are restored.
What may be interesting is the theory can also be used for malware to infect system without any popup of modern HIPS thru system restore.
The theory is almost like a "hook" technology in rootkit domain, it injects the system restore flow and provide a fake restore impact to user.Regarding another way -- "DKOM" trick against the system restore, I also have some research results, and might introduce it somewhere later.
Please refer to the following link for the slides : ( it also include protection and detection technology)
http://www.rootkit.com/vault/cardmagic/HIT2008_CardMagic.ppt
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
