Abstract
With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function pointers that are potentially prone to malicious exploits. These areas of kernel memory are currently not monitored by kernel integrity checkers.
We present a novel approach to monitoring the integrity of Windows kernel pools, based entirely on virtual machine introspection, called HookLocator. Unlike prior efforts to maintain kernel integrity, our implementation runs entirely outside the monitored system, which makes it inherently more difficult to detect and subvert. Our system also scales easily to protect multiple virtualized targets. Unlike other kernel integrity checking mechanisms, HookLocator does not require the source code of the operating system, complex reverse engineering efforts, or the debugging map files. Our empirical analysis of kernel heap behavior shows that integrity monitoring needs to focus only on a small fraction of it to be effective; this allows our prototype to provide effective real-time monitoring of the protected system.
This work was supported by the NSF grant CNS # 1016807.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
While the .reloc section of the MS Windows kernel does contain the relocation table, the section is discardable as identified by the characteristic field in the section header.
References
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel, 1st edn. Addison-Wesley Professional, Upper Saddle River (2005)
Yin, H., Poosankam, P., Hanna, S., Song, D.: HookScout: proactive binary-centric hook detection. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 1–20. Springer, Heidelberg (2010)
Nick, J., Petroni, L., Hicks, M.: Automated detection of persistent kernel control flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, VA, USA, pp. 103–115 (2007)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC 2008), Anaheim, California, USA, pp. 77–86 (2008)
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA, pp. 555–565 (2009)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA, pp. 545–554 (2009)
Russinovich, M., Solomon, D.: Windows Internals: Including Windows Server 2008 and Windows Vista, 5th edn. Microsoft Press, Redmond (2009)
Butler, J., Hoglund, G.: VICECatch the Hookers!, In: Black Hat USA, July 2004. http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf
Rutkowska, J.: System virginity verifier: defining the roadmap for malware detection on windows systems. In: Hack in the Box Security Conference, September 2005
Ahmed, I., Zoranic, A., Javaid, S., Richard, G.G. III.: Mod-checker: kernel module integrity checking in the cloud environment. In: 4th International Workshop on Security in Cloud Computing (CloudSec 2012), pp. 306–313 (2012)
SSDT Volatility. https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/ssdt.py?r=3158
Mandt, T.: Kernel Pool Exploitation on Windows 7. http://www.mista.nu/research/MANDT-kernelpool-PAPER.pdf
mxatone and ivanlef0u.: Stealth hooking: Another way to subvert the Windows kernel. http://www.phrack.com/issues.html?issue=65&id=4
Kortchinsky, K.: Real World Kernel Pool Exploitation. http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf
Riley, R., Jiang, X., Xu, D.: Multi-aspect proling of kernel rootkit behavior. In: The Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys 2009), Nuremberg, Germany, pp. 47–60 (2009)
Yin, H., Liang, Z., Song, D.: HookFinder: identifying and understanding malware hooking behaviors. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008), February 2008
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Ahmed, I., Richard, G.G., Zoranic, A., Roussev, V. (2015). Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection. In: Desmedt, Y. (eds) Information Security. Lecture Notes in Computer Science(), vol 7807. Springer, Cham. https://doi.org/10.1007/978-3-319-27659-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-27659-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27658-8
Online ISBN: 978-3-319-27659-5
eBook Packages: Computer ScienceComputer Science (R0)