Malware Analysis Demystifying Modern Windows Rootkits

[upnorth]

This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode.

 

[ForgottenSeer 85179]

On 13:57 he say that this method isn't compatible with HVCI so with this enabled, we're secure

Enable memory integrity

This article explains the steps to opt in to using memory integrity on Windows devices.

docs.microsoft.com

Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification.

 

[upnorth]

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

Enable memory integrity

This article explains the steps to opt in to using memory integrity on Windows devices.

docs.microsoft.com

 

[ForgottenSeer 85179]

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

See: