Sciweavers

NDSS
2009
IEEE

K-Tracer: A System for Extracting Kernel Malware Behavior

14 years 7 months ago
K-Tracer: A System for Extracting Kernel Malware Behavior
Kernel rootkits can provide user level-malware programs with the additional capabilities of hiding their malicious activities by altering the legitimate kernel behavior of an operating system. While existing research has studied rootkit hooking behavior in an effort to help develop defense and remediation mechanisms, automated analysis of the actual malicious goals and capabilities of rootkits has not been adequately investigated. In this paper, we present an approach based on a combination of backward slicing and chopping techniques that enables automatic discovery of the system data manipulation behaviors of rootkits. We have built a system called K-Tracer that can dynamically analyze Windows kernel-level code and extract malicious behaviors from rootkits, including sensitive data access, modification and triggers. Our system overcomes several challenges of analyzing the Windows Kernel. We have performed experiments on several kernel malware samples and shown that our system can su...
Andrea Lanzi, Monirul I. Sharif, Wenke Lee
Added 21 May 2010
Updated 21 May 2010
Type Conference
Year 2009
Where NDSS
Authors Andrea Lanzi, Monirul I. Sharif, Wenke Lee
Comments (0)