upnorth

Moderator
Verified
Staff member
Malware Hunter
This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode.
 

security123

Level 26
Verified
On 13:57 he say that this method isn't compatible with HVCI so with this enabled, we're secure :)


Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification.
 

security123

Level 26
Verified
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
See:
hvci.png


;)
 
Top