this is for holding javascript data
Igor.Korkin deleted file 4.3.1. Dynamic Bit Signature (DBS) for EPROCESS Detection2.tex
over 9 years ago
Commit id: 90b570b2f4eaaf36a46ecd44129f72a1aac835d2
deletions | additions
diff --git a/4.3.1. Dynamic Bit Signature (DBS) for EPROCESS Detection2.tex b/4.3.1. Dynamic Bit Signature (DBS) for EPROCESS Detection2.tex
deleted file mode 100644
index 0e97428..0000000
--- a/4.3.1. Dynamic Bit Signature (DBS) for EPROCESS Detection2.tex
+++ /dev/null
...
It is obvious that initial bytes of each structure are identical, but further bytes are different. The conclusion was made, that if we search for some typical EPROCESS structure fragments it is possible to find all EPROCESS structures regardless of whether they are hidden or not. It is shown below how to do this.
\textbf{Stealth process detection approach:}
\begin{enumerate}
\item Create dynamic bit signature (DBS) as a template, which matches to all EPROCESS.
\item With the help of probabilistic search of DBS in kernel memory find all EPROCESS structures, either hidden or not. As a result, get the author’s list.
\item Compare the author’s list with a list of processes obtained by standard means of the OS, e.g. NtQuerySystemInformation
\end{enumerate}
Dynamic bytes signature includes only the bytes, whose values are the same for all EPROCESS structures, which are in the list. For example, all EPROCESS structures contain the same byte in their center. It is labeled on Figure 3 as a green square (‘05’).
This byte is automatically added to the signature.
This signature in used to search EPROCESS structures manually. This is done with the help of byte-to-byte search in kernel memory. For each memory fragment the number of matches with DBS-signature is calculated. If for the current memory fragment the inequality (Σ-Δ)≤i≤Σ is true, it is considered that the structure of the similar object is found, Σ – is the number of bytes in a signature, Δ – threshold value (for example Δ may be equal to (Σ*0.8)), i – is the number of matches for the current memory fragment with DBS-signature. If for some memory region this inequality is false, we skip this region and continue analysis with the next memory fragments until all the memory is analyzed.
As a result the full processes structures list based on DBS-signature matching will be obtained.
The conclusion if hidden processes are present is made after comparing DBS-matching list with the list obtained by NtQuerySystemInformation. This approach has been successfully tested for both cases of deliberately hidden objects and for real rootkits, such as Virus.Win32.Sality.q (Kaspersky Lab) and Trojan.Win32.VB.aqt (Kaspersky Lab).
It is important to emphasize that EPROCESS structure includes a lot of fields, whose values are linked with other kernel mode structures. Therefore these values exceed the values of 0x8000_0000. This fact is partly used in the Schuster’s paper [90], but his approach is still vulnerable to byte modification and needs EPROCESS signature update when the new Windows version is released. We propose to improve the bytes-based signature approach with a bits-based one, which works in the similar way but on the bits values level.
Such approach has the following advantages:
\begin{itemize}
\item By the automatically generated bit-based signature, it is possible to adapt byte-based approach for new Windows versions and SP;
\item Due to probabilistic nature of lookups it is possible to find all the EPROCESS structures even if they were deliberately modified and only 70-80% of data matches the signature. Threshold value can be adjusted manually.
\end{itemize}
This approach can be used to detect all objects in memory, which have a typical structure, but only if the structure definition is large enough. This method works badly for compact structures, because the amount of false detected structures increases. For detection of DRIVER_OBJECT structure, whose size is 4 times smaller than EPROCESS size, the proposed approach needs improvements that are described further.
