Hi Don,
you are right: Top to Bottom, this is the right way: As i told: He doesnt need that, not assembly language, this was not the place he had to start. I show him the direction of the call, thats all! I am sure that this is ok to know. I never said he should learn assembly language. For God’s sake no!!! You dont need assembly in (windows-) drivers anymore, for those who do not know that (excluding us and others here who know!)
Regards
Kerem
I remember our anti-rootkit soln did it in *kernel mode* and it indeed helped in so many cases.
there is a concept of user mode and kernel mode rootkit. excluding hacker defender and similar category samples, almost all other user land rootkits (read rootkits with no driver) we found used to hook these APIs. Calling APIs from kernel at least allow you to terminate those process with success as they have hooked them in user land. Additionally they can patch SSDT too in which case you need some other way to do so (yes there are ways & you need to find them).
Additionally any method you’ll use will not be 100%, i.e. there will be rootkits which you simply can not delete using live programs. But in security domain it was never about cleaning them all, instead it was about cleaning 1 more than the competition. (Sales is the driving force)
So doing kernel do have its merits but if you are not sure of the technology it have more negatives than positives. You’ll expose potential risk in system, As Mr Don said I may analyze your driver IOCTLs and data structures and use that to kill some legitimate process for xyz reason(because of this many similar solutions allows single create IRP call to succeed)
You need to spend more time with actual malwares and experimenting with them to conclude something. Study more as unless you know it completely there are chances that you may introduce security holes while distributing your security app.
Thanks
Aditya