Sciweavers

CCS
2009
ACM

Robust signatures for kernel data structures

14 years 6 months ago
Robust signatures for kernel data structures
Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditio...
Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick
Added 19 May 2010
Updated 19 May 2010
Type Conference
Year 2009
Where CCS
Authors Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick Traynor, Jonathon T. Giffin
Comments (0)