Anti-Rootkit Evasion (blinding GMER)

rootkit-evasion-gmerDuring a discussion with colleagues about the ability of modern malware to evade the most common anti-virus solutions, a fixed point seemed to be using anti-rootkit tools to thoroughly check the status of a system. One of the most reliable and trustworthy (and widely used) seems to be undoubtedly GMER. It was widely believed that only very advanced malware (certainly sponsored by governments or by Microsoft itself) could simultaneously hide its presence within the system and to mock, at the same time, also GMER.

My point of view was a little different, and someone, after few minutes, said “why do you not try to do something that is able to evade the detection of GMER ?” And so…

After some research on this, I saw that there were solutions of this, but some were just too simple and obvious and out of my will (how to prevent to the detection engine to do its job) and other really too complex to create something in a couple of days (after working hours:>). My solution is in the middle” (not of the night) and after studying some instructions of the scan engine, I think it also smart enough. The sources are not freely available (I hate kiddies). Good vision…

2 Comments

  1. OffSec Team

    I saw the video about 3 times trying to figure out the trick. :) But maybe there’s no trick :) let me tell you … it’s just amazing, but I’m sorry I do not think honestly it is the work of just a couple of days. forgive me. I would be interested in discussing the details of your solution and an eventual integration (for legal purposes of course). You have my contact. Greetings.

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 4 = 13