Applying user-mode memory scanning on Windows NT

Eric Uday Kumar Authentium

  download slides (PDF)

Memory-resident malware and malware persistent over reboots have since long been the most challenging to detect and deactivate. Such types of malware can conceal their presence (defensive techniques), thwart termination or removal (armouring techniques), lower system security, and terminate or suspend security applications (offensive techniques). Memory scanning plays a vital role in detecting and deactivating these types of malware.

Implementing a memory scanner for Windows NT-based systems is particularly challenging due to the complexity of the executing environment. While memory scanning can be implemented in both kernel mode and user mode, this content is confined to user-mode memory scanning, for 32-bit and 64-bit Windows NT-based systems. This essentially means scanning the virtual address space of each process in memory, as well as its associated objects in memory and on physical disk, as seen from user mode. Here, we will discuss examples from real-world malware scenarios that demonstrate a few anti-detection and anti-disinfection techniques, and find how memory scanning can be applied to overcome some of them. Certain techniques to detect hidden processes from user mode will also be presented. The limitations of user-mode memory scanning will also be discussed.

Poll

Do you use the same password(s) across multiple websites?
I use the same password for all sites
I have a number of passwords but use the same for some sites
I use a different password for each site
I don't sign up to any sites that require a password

Leave a comment
View 4 comments
Jobs Career Sidebar

VB100 certification

VB100 This month VB's test team put 26 products to the test on Windows Server 2008. John Hawes has the full results.
See full results.
Virus Bulletin currently has 190,960 registered users.