Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Detecting Stealth Software with Strider GhostBuster
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Towards a tamper-resistant kernel rootkit detector
Proceedings of the 2007 ACM symposium on Applied computing
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Antfarm: tracking processes in a virtual machine environment
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Renovo: a hidden code extractor for packed executables
Proceedings of the 2007 ACM workshop on Recurring malcode
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
VMM-based hidden process detection and identification using Lycosid
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Compatibility is not transparency: VMM detection myths and realities
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Developing drivers with the windows® driver foundation
Developing drivers with the windows® driver foundation
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Countering Persistent Kernel Rootkits through Systematic Hook Discovery
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Secure in-VM monitoring using hardware virtualization
Proceedings of the 16th ACM conference on Computer and communications security
Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Toward Revealing Kernel Malware Behavior in Virtual Execution Environments
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A view on current malware behaviors
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Unpacking virtualization obfuscators
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
A fistful of red-pills: how to automatically generate procedures to detect CPU emulators
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
DriverGuard: a fine-grained protection on I/O flows
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Holography: a behavior-based profiler for malware analysis
Software—Practice & Experience
Hi-index | 0.00 |
In the escalating arms race between malicious code and security tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding files, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the real-time, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver's behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.