Detecting Kernel-Level Rootkits Through Binary Analysis
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Proceedings of the 12th ACM conference on Computer and communications security
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
A case study of the rustock rootkit and spam bot
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Countering Persistent Kernel Rootkits through Systematic Hook Discovery
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Shepherding Loadable Kernel Modules through On-demand Emulation
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A forced sampled execution approach to kernel rootkit identification
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
dAnubis: dynamic device driver analysis based on virtual machine introspection
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Characterizing kernel malware behavior with kernel data access patterns
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Virtualization: Issues, security threats, and solutions
ACM Computing Surveys (CSUR)
Identifying OS kernel objects for run-time security analysis
NSS'12 Proceedings of the 6th international conference on Network and System Security
Design and implementation of a trusted monitoring framework for cloud platforms
Future Generation Computer Systems
| Hi-index | 0.00 |
Using a sandbox for malware analysis has proven effective in helping people quickly understand the behavior of unknown malware. This technique is also complementary to other malware analysis techniques such as static code analysis and debugger-based code analysis. This paper presents Rkprofiler , a sandbox-based malware tracking system that dynamically monitors and analyzes the behavior of Windows kernel malware. Kernel malware samples run inside a virtual machine (VM) that is supported and managed by a PC emulator. By building its monitoring component into the PC emulator, Rkprofiler is able to inspect each instruction executed by the kernel malware and therefore possesses a powerful weapon against the malware. Rkprofiler provides several capabilities that other malware tracking systems do not. First, it can detect the execution of malicious kernel code regardless of how the monitored kernel malware is loaded into the kernel and whether it is packed or not. Second, it captures all function calls made by the kernel malware and constructs call graphs from the trace files. Third, a technique called aggressive memory tagging (AMT) is proposed to track the dynamic data objects that the kernel malware visit. Last, Rkprofiler records and reports the hardware access events of kernel malware (e.g., MSR register reads and writes). Our evaluation results show that Rkprofiler can quickly expose the security-sensitive activities of kernel malware and thus reduces the effort exerted in conducting tedious manual malware analysis.