Here we are, part two! I thought rather than doing a live debugging of runtime2 as I discussed in my last rootkit debugging post, I'd debug a different rootkit. I chose Rustock.B (PE386) as it's a pretty notorious rootkit, and in my opinion is a lot of fun to debug. It's always a great learning experience to debug, reverse, and research things for yourself as well. I have a map of rootkits I want to debug and reverse as the weeks go by, so expect many more of these.
more here..........http://bsodanalysis.blogspot.com/2014/10/rootkit-debugging-rustockb-live.html
more here..........http://bsodanalysis.blogspot.com/2014/10/rootkit-debugging-rustockb-live.html