Security quote of the week
But it was very interesting to see some of the anti-rootkit tools not
showing the dispatch table hooks that are usually pretty straightforward to
identify. Also this malware would not allow an external debugger (WinDbg)
to break, which was annoying.
-- Rachit
Mathur on a memory forging rootkitThe reason for hooks not being reported was that the memory being read by the tools was not the actual memory! The dispatch table as "seen" by the tools appeared not to be hooked—whereas in reality it was hooked. The part that made it interesting was that the memory was being read at the correct address with a mov instruction and not using some system API that could be hooked. We know of some proof-of-concept ways to achieve this, but I had not seen this behavior before from a threat in the wild.