Eric Uday Kumar Authentium
download slides (PDF)
Memory-resident malware and malware persistent over reboots have since long been the most challenging to detect and deactivate. Such types of malware can conceal their presence (defensive techniques), thwart termination or removal (armouring techniques), lower system security, and terminate or suspend security applications (offensive techniques). Memory scanning plays a vital role in detecting and deactivating these types of malware.
Implementing a memory scanner for Windows NT-based systems is particularly challenging due to the complexity of the executing environment. While memory scanning can be implemented in both kernel mode and user mode, this content is confined to user-mode memory scanning, for 32-bit and 64-bit Windows NT-based systems. This essentially means scanning the virtual address space of each process in memory, as well as its associated objects in memory and on physical disk, as seen from user mode. Here, we will discuss examples from real-world malware scenarios that demonstrate a few anti-detection and anti-disinfection techniques, and find how memory scanning can be applied to overcome some of them. Certain techniques to detect hidden processes from user mode will also be presented. The limitations of user-mode memory scanning will also be discussed.