| View previous topic :: View next topic |
| Author |
Message |
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
 Posted: Tue Sep 19, 2006 1:05 pm Post subject: hyberfil.sys |
|
|
If a system with a live rootkit infection was hibernated would the hiberfil.sys file contain the evidence of the rootkit when the system was resumed ? If it would a scanner based on this would be a good invention .
If the rootkit prevents hiberfil.sys from storing the rootkit would hibernate and resume unhook the system ?
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Tue Sep 19, 2006 5:00 pm Post subject: |
|
|
I doubt that would unhook the system because the rootkit would still reside on the hard drive, even if it is eliminated from the hibernation file, and would come back on the next boot, if not sooner. Unless I misunderstand your point.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Sep 19, 2006 5:11 pm Post subject: |
|
|
I don't think that it will unhook it either .
My main question is whether or not analyzing the hiberfil.sys file after resume would be a valid rootkit detection method and if anyone is working on such an application .
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Tue Sep 19, 2006 5:59 pm Post subject: |
|
|
It's a good question, unfortunately, I don't know the answer to that. Probably it needs some real testing to know, unless someone here has already done it.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
