Sunday, March 09, 2008

what is a cross-view diff?

a cross-view diff is a process for detecting the presence of active stealth techniques by looking for differences across two or more views of the same resource (often the file system)... when one view is different from the other it suggests that something is manipulating the results in an attempt to hide something...

the multiple views are generally accomplished by accessing the resource using multiple techniques - possibly a high-level API for one view and a lower level one for the other, though it's possible that if something is manipulating the results from one access technique it may also manipulate the results from the other...

another possibility is to get one view while the suspect system is running and other one from outside-the-box... this has the usual benefit of outside-the-box analysis in that the second view cannot be manipulated by any stealth malware because such malware won't be active...

looking for differences is fundamentally indistinguishable from change-detection, so this technique is essentially a type of integrity checking where the integrity of the resource access methods themselves are in question... compromising those methods is necessary for active stealth to work, so any evidence that their integrity is no longer intact is by extension evidence for the presence of stealth - and if an object (like a file) in the resource in question appears to be missing from the less trusted view then that is even stronger evidence for the presence of stealth...

back to index

0 comments: