Identifying Rootkit Infections Using a New Windows Hidden-driver-based Rootkit

摘要

It can be observed that most sophisticated kernel mode rootkits implement hiding tasks via loading drivers in Windows. Also, more and more malware writers are taking advantage of rootkits to shield their illegal activities. Therefore, the role of a detector for effectively detecting Windows driver-hidden rootkits is becoming extremely important. In our previous work, we focused on developing a new Windows driver-hidden rootkit with five tricks based on the technique of DKOM (Direct Kernel Object Manipulation), which has verified that it can successfully avoid a variety of well-known rootkit detectors. In this paper, we extend our previous work by employing what we learn from the proposed new driver-hidden rootkit to explore remedies and solution for identifying not only the new threat but also other existing rootkits. It is expected that this research will contribute to the development of rootkit detection methods for unknown Windows hidden-driver-based rootkits.