9BOOTKIT DYNAMIC ANALYSIS: EMULATION AND VIRTUALIZATION

Image

You saw in Chapter 8 that static analysis is a powerful tool for bootkit reverse engineering. In some situations, however, it can’t give you the information you’re looking for, so you’ll need to use dynamic analysis techniques instead. This is often true for bootkits that contain encrypted components for which decryption is problematic or for bootkits like Rovnix—covered in Chapter 11—that employ multiple hooks during execution to disable OS protection mechanisms. Static analysis tools can’t always tell which modules the bootkit tampers with, so dynamic analysis is more effective in these ...

Get Rootkits and Bootkits now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.