PowerPoint Presentationdownload.sysinternals.com/files/SysinternalsMalwareCleaning.pdf · User Mode...

Post on 04-Feb-2018

225 views 4 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

sigcheck -e -u -s c:\

listdlls -u

strings <file>

http://www.e-markettop.com/

http://www.e-markettop.com/
http://www.e-markettop.com/
http://www.e-markettop.com/

http://blogs.technet.com/b/markrussinovich/archive/2011/03/14/3412374.aspx

http://blogs.technet.com/b/markrussinovich/archive/2011/03/14/3412374.aspx

User Mode

Kernel Mode

File System

Filter Registry Callback

Kernel

Callouts

Process Monitor UI

Process Monitor Driver TCP/IP Driver ETW

events

Function 2

Function 1

Function 3

Function 3 Function 2 Function 1

Stack Display

Filter Manager

Virus Scanner

Kernel

System Library

System Library

SuperFetch

(root cause)

Kernel Mode

User Mode

Note: user stack capture isn’t supported on 64-bit versions of Windows XP/Server 2003

“Category is Write”

http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx

http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx

http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx

http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx

http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx

http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx

www.zerodaythebook.com

http://www.youtube.com/watch?v=ucyMBYg9RWU

http://www.zerodaythebook.com/
http://www.youtube.com/watch?v=ucyMBYg9RWU

http://technet.microsoft.com/en-us/sysinternals/hh290819

http://technet.microsoft.com/en-us/sysinternals/hh290819
http://technet.microsoft.com/en-us/sysinternals/hh290819
http://technet.microsoft.com/en-us/sysinternals/hh290819

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/

http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf

Top related

The Kernel Abstraction€¦ · •Save program counter: where to resume •Save old mode, interruptable bits to status register •Set mode bit to kernel •Set interrupts disabled
Documents
Windows Kernel Internals User-mode Heap Manager David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
Documents
Processes, Protection and the Kernel: Mode, Space, and Context
Documents
High Performance Kernel Mode Web Server for Windows
Documents
Microsoft Kernel Mode Cryptographic Module - NIST … ·  · 2017-09-07Microsoft Kernel Mode Cryptographic Module FIPS 140 -1 Documentation: ... in Jan 2001. Microsoft Windows XP
Documents
Migrating User Mode Linux to Xen and Kernel Based Virtual ...
Documents
C++ in kernel mode
Technology
Ch 4. Drivers and Kernel-Mode Objects
Documents
OSPP: The Kernel Abstraction3 Dual-Mode Operation Modern CPUs have two execution modes: the user mode and the supervisor (or system, kernel, privileged) mode, controlled by a mode
Documents
Windows Kernel Internals - Zenk - Security et systemes d.exploitations... · mode kernel mode Windows Kernel-mode Architecture ... Idle processor or ... – Extensible filter-based
Documents
Kernel-mode Payloads on Windows - orkspace.net Payloads on... · Chapter 1 Foreword Abstract: This paper discusses the theoretical and practical implementations of kernel-mode payloads
Documents
10 Kernel mode driver development
Documents
ISLab Flash Team Ch 4. Drivers and Kernel-Mode Objects.
Documents
Linux - Kernel Mode Programming Guide
Documents
L04 Kernel Mode
Documents
Challenges in Kernel-Mode Memory Scanning...Challenges in Kernel-Mode Memory Scanning October 2, 2009 Rachit Mathur Research Scientist Aditya Kapoor Research Scientist Research Scientist
Documents
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Technology
Kernel Estimation of the Conditional Mode for Fixed Design ... · Kernel Estimation of the Conditional Mode for Fixed Design Models Doaa Abd ELrahman ELhertaniy October 8, 2017
Documents
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Technology
Manual kernel mode analysis with WinDbg VB2018 Vanja ... · Manual kernel mode analysis with WinDbg • Intro to WinDbg • Setup • Basic commands • Taking it to the next level
Documents

Copyright © 2018 DOCUMENTS