An Efficient Solution for Hook-Based Kernel Level Rootkits

• Main Authors: Hsing, Chieh, 邢傑
• Other Authors: Sun, Hung-Min
• Format: Others
• Language: en_US
• Published: 2009
• Online Access: http://ndltd.ncl.edu.tw/handle/71998633525300700162

碩士 === 國立清華大學 === 資訊系統與應用研究所 === 97 === It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. Thus, we observe the behavior of these hooks by re-calling the original Native API and examine the results in order to make a better decision. When the users inspect their computers by existing tools (e.g., Rootkit Unhookers, Rootkit Hook Analyzer) and find out some hooks, they do not know what to do next because honest softwares (e.g., Anti-Virus Software, On-Line-Game) may also hook SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before and after hooked. Through this comparison, if a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect this difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we discuss the existing approaches of rootkits detection both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.