SSDT Hooking

classic Classic list List threaded Threaded
2 messages Options
JA
Reply | Threaded
Open this post in threaded view
|

SSDT Hooking

JA
Hi,

I hope you are doing well and ready for vacation.

Can we evaluate the possibility to introduce SSDT Device/Hooking and
DKOM Device?

Ref: https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework

Thank you
Best regards
/JA
Reply | Threaded
Open this post in threaded view
|

RE: SSDT Hooking

Kirillov, Ivan A.
Hi Jerome,

Thanks, hope you're doing well also; it's certainly getting very close to vacation time for many of us :-)

Anyhow, I definitely agree that we should support SSDT Device hooking in MAEC/CybOX. In fact, we currently have a Windows Kernel Object (http://cybox.mitre.org/language/version2.0.1/xsddocs/objects/Win_Kernel_Object.html) that supports characterizing IDT and SSDT entries. Can you take a look and see if this is amenable for accurately describing SSDT hooking?

I'll add a tracker for adding support for DKOM, since I don't believe this is something we can do at the moment. Are there any new CybOX Objects we'd need to add for this?

Oh, and thanks for the pointer to SRDF - looks to be a great resource!

Regards,
Ivan Kirillov
MAEC Project
MITRE

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jerome Athias
Sent: Friday, December 20, 2013 5:21 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: SSDT Hooking

Hi,

I hope you are doing well and ready for vacation.

Can we evaluate the possibility to introduce SSDT Device/Hooking and
DKOM Device?

Ref: https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework

Thank you
Best regards
/JA