Windows7 & Server 2008R2 and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more; e.g. Using PTE shellcode from ring3 to induce code into ring0. Hiding rootkits with encoded and decoded page table entries.
Additional ranges/vectors, Kernel Shim Engine, ACPI/AML, boot-up resources & artifacts will also be shown to be useful for code gadgets.
Understanding the state of affairs with the changes between Win7/8 and what exposures were closed and which may remain. APT threats abuse many of these areas to avoid inspection.
By the end of this session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer.
Final thoughts on using a VM memory snapshot to fully describe/understand any possible code running on a Windows system.