Dual-Mode Kernel Rootkit Scan and Recovery with Process ID Brute-Force

摘要

Rootkit is a malware that attacks a system continuously by hiding files, processes, and registries in a system. DKOM (Direct Kernel Object Manipulation) is a process hiding technique that manipulates a kernel object. AL-DKOM (All Link—Direct Kernel Object Manipulation) is an extendedversion of DKOM that manipulates all the modifiable links in the kernel object. It is difficult to detect with existing tools. This paper designed and implemented a new AL-DKOM detection system using dual-mode operation and PIDB-based process scan that was not possible with existing List Walkingmethod. In addition, we explain the recovery procedure of the infected system and flexible system management via process recovery that has not been tried before. We then show the performance of the new system by comparing and analyzing the effectiveness of the new system and existing rootkitscanning tools with real rootkit samples.