On Wed, Nov 10, 2010 at 8:38 PM, Joxean Koret <joxeankoret(a)yahoo.es> wrote:
Is not that easy. For example, what if a rootkit tries
to exploit a
privilege scalation vulnerability in the kernel or any of the subsystems
(i.e., win32k)? You may think it's something very uncommon, but is not.
I guess you may extend wine to detect those?
Or, what if the malware tries to install a driver? I
can see that a
driver was installed or that a call to LoadDriver/ZwLoadDriver was
issued but I can't get any other information.
For the purposes of scanning websites to see if they are evil,
that should suffice, shouldn't it?
- Dan