Skip to content

Rootkit detection via kernel code tunneling

by Mihai Chiriac
Black Hat Europe 2011 ()


We present a novel rootkit detection technique called "kernel code tunneling". The technique uses a custom-made dynamic instrumentation framework to analyze execution flow.\n\nWhile similar dynamic instrumentation engines do exist (e.g. Intel PIN), our engine offers significant advantages:\n- it was designed for kernel mode operation\n- it was designed to correctly handle potentially offensive code\n\nCurrent rootkit detection engines either use methods like "cross view", or analyze specific data areas (e.g. IDT, SSDT) or code areas (e.g. they search for inline patches). However, rootkits are getting more and more complex. No more are inline patches limited to the first bytes of a function: we can now find them anywhere in the execution flow. Instead of a simple JMP/CALL to the malicious code, complex control transfer trampolines are now commonplace.\n\nOur presentation will cover the following topics:\n- design of a kernel-based dynamic instrumentation engine\n- overcoming kernel-specific issues (IRQ levels, async tasks, self modifying code)\n- analysis of various tunneling sessions, with/without active rootkits\n- specific cases when instrumentation has provided us with enough data to effectively *clean* the machine

Author-supplied keywords

Cite this document (BETA)

Readership Statistics

2 Readers on Mendeley
by Discipline
100% Computer Science
by Academic Status
100% Student > Master

Sign up today - FREE

Mendeley saves you time finding and organizing research. Learn more

  • All your research in one place
  • Add and import papers easily
  • Access it anywhere, anytime

Start using Mendeley in seconds!

Sign up & Download

Already have an account? Sign in