In this tutorial we will explore a case in which crossing the border between the userspace and kernelspace code is necessary. For this purpose we will use a sample of ZeroAccess rootkit, analysed and described in this excellent article. You can download this sample from here.

In this tutorial we will explore a case in which malicious process injects code into another, legitimate process. For this purpose we will use a sample of Hamweq bot. It's an old sample, but it's simplicity will provide for a smooth introduction into some of the advanced TProbe features.

Assuming that you followed the instructions in the previous post and deployed your debugging suite correctly, now is the time to get acquainted with the user interface. In case you configured TProbe to run gshell automatically (the default configuration), several windows will be presented to you. Let's explore the purpose of each one of them.