Hiding from the scanners

[GoogleCodeExporter]

I've read the Wiki section on "Scanners" a couple times but I'm not quite sure 
how easy it would be for rootkits to hide from them. For example, 
eprocess.Pcb.Header.Size == 0x1b is a non-essential feature of an EPROCESS 
structure and simply modifying that value would effectively hide the process 
from psscan.

Has there been any development efforts to use the techniques described in this 
paper?
Robust Signatures for Kernel Data Structures 
http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf.

Original issue reported on code.google.com by tamas.k....@gmail.com on 17 Apr 2012 at 1:32

[GoogleCodeExporter]

Hiya Tamas, that's not really a bug, it's more of a comment/discussion.  Please 
could you continue this conversation on the volatility developer mailing list, 
or on IRC. 

I'm going to mark this as invalid, but also CC in moyix (who is the author of 
the paper you quoted, and also a volatility developer) in case he wants to 
answer you either here or directly...

Original comment by mike.auty@gmail.com on 17 Apr 2012 at 9:56

• Changed state: Invalid
• Added labels: Type-Enhancement
• Removed labels: Type-Defect