Demystifying Modern Windows Rootkits

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 12:30 p.m. (40 minutes).

This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode.

We'll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we'll look into the drawbacks ranging from usability to detection vectors. The best part? We'll do this all under the radar, evading PatchGuard and anti-virus.

Presenters:

• Bill Demirkapi - Independent Security Researcher, \
  Bill Demirkapi is a student at the Rochester Institute of Technology with an intense passion for Windows Internals. Bill's interests include game hacking, reverse engineering malware, and exploit development. In his pursuit to make the world a better place, Bill constantly looks for the next big vulnerability following the motto "break anything and everything."

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#demystifying-modern-windows-rootkits-20918

Similar Presentations:

• REcon 2011 / How to develop a rootkit for Broadcom NetExtreme network cards
• THOTCON 0xA (2019) / Writing your own Linux Rootkit for fun and profit
• DEF CON 28 (2020) Virtual / Demystifying Modern Windows Rootkits