A Methodology for Hook-Based Kernel Level Rootkits
It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT).However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT.In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking.If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference.Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs.Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel mode.Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.
Security SSDT Rootkits
Chien-Ming Chen Mu-En Wu Bing-Zhe He Xinying Zheng Chieh Hsing Hung-Min Sun
School of Computer Science and Technology,Harbin Institute of Technology Shenzhen Graduate School,Sh Department of Mathematics,Soochow University,Taipei,Taiwan,R.O.C. Department of Computer Sciences,National Tsing Hua University,Hsinchu,Taiwan,R.O.C. School of Computer Science and Technology,Harbin Institute of Technology Shenzhen Graduate School,Sh
国际会议
福州
英文
119-128
2014-05-05(万方平台首次上网日期,不代表论文的发表时间)