Skip navigation.
Home

Paper: Hunting rootkits with Windbg

Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!

http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf

The Windbg script shown in the slides to grab Kernelcallbacks can be found here:

http://www.reconstructer.org/code/WindbgScript-KernelCBFindx86.rar

X64 script

Doest the script work on x64 system too?

i don't have a x64 system by

i don't have a x64 system by now. so i can't tell you.
this should change in some weeks and i will test it. if it makes problems, i will fix this quickly.

Another nice collection of WinDBG scripts for Rootkit analysis

--> http://kdar.codeplex.com/

If you need help

I can port it to X64 or test it

how i can get a full research paper

Hi Frank,

I am interested to read the whole research paper.How can I have access to it?

Thanks
Muteb