Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security Practice and Experience

ISPEC 2014: Information Security Practice and Experience pp 119–128Cite as

A Methodology for Hook-Based Kernel Level Rootkits

  • Conference paper

  • 1815 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8434))

Abstract

It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Chen, C.-M., Wang, K.-H., Wu, T.-Y., Pan, J.-S., Sun, H.-M.: A scalable transitive human-verifiable authentication protocol for mobile devices. IEEE Transactions on Information Forensics and Security 8(8), 1318–1330 (2013)

    Article  Google Scholar 

  2. DiabloNova. Rootkit Unhooker v3.8 (2007), http://www.rootkit.com/newsread.php?newsid=902

  3. He, B.-Z., Chen, C.-M., Su, Y.-P., Sun, H.-M.: A defence scheme against identity theft attack based on multiple social networks. Expert Systems with Applications 41(5), 2345–2352 (2014)

    Article  Google Scholar 

  4. Hoglund, G., Butler, J.: HideProcessHookMDL (2004), http://www.rootkit.com/

  5. Hoglund, G., Butler, J.: Rootkits-Subverting the Windows Kernel. Addison-Wesley (2004)

    Google Scholar 

  6. Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-Based “Out-of-the-Box” SemanticView Reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138 (2007)

    Google Scholar 

  7. Joanna, R.: Thoughts about Cross-View Based Rootkit Detection (2005), http://invisiblethings.org

  8. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing Malware with Virtual Machines. In: 2006 IEEE Symposium on Security and Privacy, pp. 314–327 (2006)

    Google Scholar 

  9. Kruegel, C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits through Binary Analysis. In: Proceedings of the 20th Annual Computer Security Applications Conference, pp. 91–100. IEEE Computer Society (2004)

    Google Scholar 

  10. Levine, J., Grizzard, J., Owen, H.: A Methodology to Detect and Characterize Kernel Level Rootkit Exploits Involving Redirection of the System Call Table. In: Proceedings of the Second IEEE International Information Assurance Workshop, pp. 107–125. IEEE (2004)

    Google Scholar 

  11. Levine, J., Grizzard, J., Phillip, H., Owen, H.: A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table. In: Proceedings of the IEEE SoutheastCon, pp. 25–31. IEEE (2004)

    Google Scholar 

  12. Lin, C.-W., Hong, T.-P., Chang, C.-C., Wang, S.-L.: A greedy-based approach for hiding sensitive itemsets by transaction insertion. Journal of Information Hiding and Multimedia Signal Processing 4(4), 201–227 (2013)

    Google Scholar 

  13. R. S. Projects. RootKit Hook Analyzer (2007), http://www.resplendence.com/hookanalyzer

  14. Quynh, N.A., Takefuji, Y.: Towards a Tamper-Resistant Kernel Rootkit Detector. In: Proceedings of the 2007 ACM Symposium on Applied Computing, pp. 276–283. ACM (2007)

    Google Scholar 

  15. Sun, H.-M., Chen, C.-M., Shieh, C.-Z.: Flexible-pay-per-channel: A new model for content access control in pay-tv broadcasting systems. IEEE Transactions on Multimedia 10(6), 1109–1120 (2008)

    Article  Google Scholar 

  16. Sun, H.-M., Wang, H., Wang, K.-H., Chen, C.-M.: A native apis protection mechanism in the kernel mode against malicious code. IEEE Transactions on Computers 60(6), 813–823 (2011)

    Article  MathSciNet  Google Scholar 

  17. Tan, C.K.: Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration (2004), http://www.security.org.sg

  18. Wang, Y.-M., Beck, D.: Fast User-Mode Rootkit Scanner for the Enterprise. In: Proceedings of the 19th Conference on Large Installation System Administration Conference, pp. 23–30. USENIX (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Harbin Institute of Technology Shenzhen Graduate School, Shenzhen, China

    Chien-Ming Chen & Xinying Zheng

  2. Shenzhen Key Laboratory of Internet Information Collaboration, Shenzhen, China

    Chien-Ming Chen

  3. Department of Mathematics, Soochow University, Taipei, Taiwan, R.O.C.

    Mu-En Wu

  4. Department of Computer Sciences, National Tsing Hua University, Hsinchu, Taiwan, R.O.C.

    Bing-Zhe He, Chieh Hsing & Hung-Min Sun

Authors
  1. Chien-Ming Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mu-En Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bing-Zhe He
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xinying Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Chieh Hsing
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hung-Min Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Mathematics and Computer Science, Fujian Normal University, No. 32 Shangsan Road, 350007, Fuzhou, China

    Xinyi Huang

  2. Infocom Security Department, Institute for Infocomm Research, 1 Fusionopolis Way, #21-01 Connexis, South Tower, 138632, Singapore, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Chen, CM., Wu, ME., He, BZ., Zheng, X., Hsing, C., Sun, HM. (2014). A Methodology for Hook-Based Kernel Level Rootkits. In: Huang, X., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2014. Lecture Notes in Computer Science, vol 8434. Springer, Cham. https://doi.org/10.1007/978-3-319-06320-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-06320-1_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-06319-5

  • Online ISBN: 978-3-319-06320-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation