Authorea

Igor.Korkin deleted file 4.3.2. Rating Point Inspection (RPI) for DRIVER_OBJECT detection.tex over 9 years ago

Commit id: 7ea8b251ff41ac750193ac238e3ca4ae78f46ab6

deletions | additions

\subsubsection{Rating Point Inspection (RPI) for DRIVER_OBJECT detection} Rating Point Inspection (RPI) is the development of DBS detection approach. The first difference is that we need to manually adjust RPI to specific structure types such as DRIVER_OBJECT or DEVICE _OBJECT structures. The second difference in case on RPI is the utilization of additional weight matrix for precise matching accounting. We calculate total matching points (score) but not the individual matches themselves. For example, if one of the checks is true, 1, 2 or 3 etc. points are added to the final score. In DBS case we simply summarize the numbers of matches or add only 1 point to the final sum, if the check is true. The conclusion for DRIVER_OBJECT structure matching is made in the similar way by comparing the score with the threshold value. The threshold value is determined by calculating the same metrics for "not hidden" DRIVER_OBJECT structures, which are located in DirectoryObject. First let us briefly describe the DRIVER_OBJECT detection technique and then give an explanation: \begin{enumerate} \item Get memory dump (‘dump.log’ and ‘struct.log’), save the DRIVER_OBJECT structures addresses in ‘drvobj.log’ file. To do the latter, use ZwOpenDirectoryObject function. \item Determine ‘min_major_function’ value. \item Determine ‘global_scope’ value. \item Determine ‘global_scope_deep’ value. The following steps (5,6,7) are done iteratively, and will be explained further. \item Perform a byte-to-byte DRIVER_OBJECT structure search with the help of ‘is_integrated_driver’ function, which calculates the numbers of matching points for each memory region. \item The conclusion that DRIVER_OBJECT structure is found is made after comparing these matching points from step 5 with the ‘global_scope’ value, which was obtained on step 3. If this value is not smaller than ‘global_scope’ value, the DRIVER_OBJECT structure is present. Otherwise calculate the numbers of deep matching points for this memory area with the help of ‘is_integrated_driver_deep’. If the structure has been found, go to step 5 and continue lookups. \item The conclusion that DRIVER_OBJECT structure is found is made after comparing the deep matching points obtained in step 6 with the ‘global_scope_deep’ value, which was obtained on step 4. If this value is not smaller than ‘global_scope_deep’ value, the DRIVER_OBJECT structure is present. Otherwise go to step 5 and continue lookups. \item Repeat steps 6-8 for the whole memory area. As a result, get the RPI-matching list of DRIVER_OBJECT structures. \item Compare the RPI-matching list with the drivers list, which has been obtained on step 1. \end{enumerate} Further steps 2, 3 and 4 will be described in details further. Steps 6 and 7 are ‘if-else’ statements. \textbf{Details of step 2. Determine ‘min_major_function’ value.} Use ZwOpenDirectoryObject function to obtain the list of DRIVER_OBJECT structures. For each DRIVER_OBJECT structure calculate the maximum number of functions’ addresses from MajorFunction, whose addresses are the same, with the help of ‘max_same_major_functions’. From these values select the minimum – ‘min_major_function’. \textbf{Details of step 3. Determine ‘global_scope’ value.} Use ZwOpenDirectoryObject function to obtain the list of DRIVER_OBJECT structures. For each DRIVER_OBJECT structure calculate the numbers of points with the help of Table 4. If one of the conditions is false, we add 0 points to the total number of matching points. Total matching score is calculated as a result of checking all the conditions in the table. For example, if all the conditions are true, apart from the second, the total score is 10. Among these values select the minimum – ‘global_scope’.