Abstract
It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Chen, C.-M., Wang, K.-H., Wu, T.-Y., Pan, J.-S., Sun, H.-M.: A scalable transitive human-verifiable authentication protocol for mobile devices. IEEE Transactions on Information Forensics and Security 8(8), 1318–1330 (2013)
DiabloNova. Rootkit Unhooker v3.8 (2007), http://www.rootkit.com/newsread.php?newsid=902
He, B.-Z., Chen, C.-M., Su, Y.-P., Sun, H.-M.: A defence scheme against identity theft attack based on multiple social networks. Expert Systems with Applications 41(5), 2345–2352 (2014)
Hoglund, G., Butler, J.: HideProcessHookMDL (2004), http://www.rootkit.com/
Hoglund, G., Butler, J.: Rootkits-Subverting the Windows Kernel. Addison-Wesley (2004)
Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-Based “Out-of-the-Box” SemanticView Reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)
Joanna, R.: Thoughts about Cross-View Based Rootkit Detection (2005), http://invisiblethings.org
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing Malware with Virtual Machines. In: 2006 IEEE Symposium on Security and Privacy, pp. 314–327 (2006)
Kruegel, C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits through Binary Analysis. In: Proceedings of the 20th Annual Computer Security Applications Conference, pp. 91–100. IEEE Computer Society (2004)
Levine, J., Grizzard, J., Owen, H.: A Methodology to Detect and Characterize Kernel Level Rootkit Exploits Involving Redirection of the System Call Table. In: Proceedings of the Second IEEE International Information Assurance Workshop, pp. 107–125. IEEE (2004)
Levine, J., Grizzard, J., Phillip, H., Owen, H.: A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table. In: Proceedings of the IEEE SoutheastCon, pp. 25–31. IEEE (2004)
Lin, C.-W., Hong, T.-P., Chang, C.-C., Wang, S.-L.: A greedy-based approach for hiding sensitive itemsets by transaction insertion. Journal of Information Hiding and Multimedia Signal Processing 4(4), 201–227 (2013)
R. S. Projects. RootKit Hook Analyzer (2007), http://www.resplendence.com/hookanalyzer
Quynh, N.A., Takefuji, Y.: Towards a Tamper-Resistant Kernel Rootkit Detector. In: Proceedings of the 2007 ACM Symposium on Applied Computing, pp. 276–283. ACM (2007)
Sun, H.-M., Chen, C.-M., Shieh, C.-Z.: Flexible-pay-per-channel: A new model for content access control in pay-tv broadcasting systems. IEEE Transactions on Multimedia 10(6), 1109–1120 (2008)
Sun, H.-M., Wang, H., Wang, K.-H., Chen, C.-M.: A native apis protection mechanism in the kernel mode against malicious code. IEEE Transactions on Computers 60(6), 813–823 (2011)
Tan, C.K.: Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration (2004), http://www.security.org.sg
Wang, Y.-M., Beck, D.: Fast User-Mode Rootkit Scanner for the Enterprise. In: Proceedings of the 19th Conference on Large Installation System Administration Conference, pp. 23–30. USENIX (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Chen, CM., Wu, ME., He, BZ., Zheng, X., Hsing, C., Sun, HM. (2014). A Methodology for Hook-Based Kernel Level Rootkits. In: Huang, X., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2014. Lecture Notes in Computer Science, vol 8434. Springer, Cham. https://doi.org/10.1007/978-3-319-06320-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-06320-1_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06319-5
Online ISBN: 978-3-319-06320-1
eBook Packages: Computer ScienceComputer Science (R0)