We will create a simple user mode rootkit on a Windows 2012 R2, then check how we could detect these types of rootkit.
As a first step we review the different hooking approaches and implement one of them. During the development participants will learn how to access the memory of a process from another one.
At the second step we will write the filtering shellcode in assembly that will be inserted into the function with the help of our hooking application.
Finally we will test whether the most wide-spread detection tools are able to detect our rootkit or not.
We recommend attendance to everyone who is interested in malware or rootkit detection or likes programming or debugging