- Hook kernel structures on multi-processor systems
- Use a kernel debugger to reverse system internals
- Inject call gates to create a back door into Ring-0
- Use detour patches to sidestep group policy
- Modify privilege levels on Vista by altering kernel objects
- Utilize bootkit technology
- Defeat live incident response and post-mortem forensics
- Implement code armoring to protect your deliverables
- Establish covert channels using the WSK and NDIS 6.0
I am interested in the anti-forensics material, as you might imagine.
I first learned about Bill's work when he produced this presentation on rootkits. Slide 34 caught my attention:
That's pretty cool, but I am reminded of my post last summer on getting the job done. I wrote:
I have encountered plenty of roles where I am motivated and technically equipped, but without resources and power. I think that is the standard situation for incident responders, i.e., you don't have the evidence needed to determine scope and impact, and you don't have the authority to change the situation in your favor.
I think that is the main problem with incident detection and response, and probably computer security in general, these days.
Thanks again to Bill for the book, and be sure to check it out at Amazon.com.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.