To detect present rootkit the rootkit and malware detectors need to have memory access. But, sophisticated rootkits are able to subvert the verification process of security scanner using virtual memory subversion techniques to hide their activity. We have proposed a new solution for direct memory access, based on a custom NDIS protocol driver that can send (on request of the local executable program) the contents of the computer memory over the network. Our method allows an unexpected type of the direct memory access, which is independent of the processor, and its control capabilities. This is a strong advantage in rootkit detection, because the rootkit cannot take any action to hide itself while the memory is scanned.
展开▼
