Skip to content
Conference proceedings

Rootkit detection via kernel code tunneling

Chiriac M...(+1 more)

Black Hat Europe 2011 (2011)

  • 2

    Readers

    Mendeley users who have this article in their library.
  • N/A

    Citations

    Citations of this article.
  • N/A

    Views

    ScienceDirect users who have downloaded this article.
Sign in to save reference

Abstract

We present a novel rootkit detection technique called "kernel code tunneling". The technique uses a custom-made dynamic instrumentation framework to analyze execution flow.

While similar dynamic instrumentation engines do exist (e.g. Intel PIN), our engine offers significant advantages:
- it was designed for kernel mode operation
- it was designed to correctly handle potentially offensive code

Current rootkit detection engines either use methods like "cross view", or analyze specific data areas (e.g. IDT, SSDT) or code areas (e.g. they search for inline patches). However, rootkits are getting more and more complex. No more are inline patches limited to the first bytes of a function: we can now find them anywhere in the execution flow. Instead of a simple JMP/CALL to the malicious code, complex control transfer trampolines are now commonplace.

Our presentation will cover the following topics:
- design of a kernel-based dynamic instrumentation engine
- overcoming kernel-specific issues (IRQ levels, async tasks, self modifying code)
- analysis of various tunneling sessions, with/without active rootkits
- specific cases when instrumentation has provided us with enough data to effectively *clean* the machine

Author-supplied keywords

  • Malware
  • Windows
  • セキュリティ

Find this document

There are no full text links

Cite this document

Choose a citation style from the tabs below