this is for holding javascript data
Igor.Korkin renamed 1.tex to The Center of Mass of Kernel Mode Structures1.tex
over 9 years ago
Commit id: b1f9d80bcd5eaa5174d2caaa5142eac2998b3b24
deletions | additions
diff --git a/The Center of Mass of Kernel Mode Structures1.tex b/The Center of Mass of Kernel Mode Structures1.tex
new file mode 100644
index 0000000..20ea349
--- /dev/null
+++ b/The Center of Mass of Kernel Mode Structures1.tex
...
\subsection{The Center of Mass of Kernel Mode Structures}
We have discovered another pattern which can be used in detection. Our research revealed that the placement of kernel mode structures such as EPROCESS and DRIVER_OBJECT are located closely to each other in memory. This fact can be used for detection of kernel mode structures. Based on the addresses of DRIVER_OBJECT structures the so-called ‘center of mass’ of DRIVER_OBJECT data can be found. The ‘center of mass’ will be located near most of the structures. When checking another memory area we need to assess how close it is to the ‘centers of mass’. An additional criterion for detection is nearest to the ‘center of mass’ of the structure: the probability that the object found is the true structure increases as it approaches the ‘center of mass’. We can calculate the ‘center of mass’ value with the help of addresses of kernel mode structures, which were already loaded in memory as a mean value.
This feature is valid for drivers loaded with the help of built-in mechanism, such as SCM. However, loaded by ATSIV utility by Linchpin Labs [97] this peculiarity is disrupted. To make it clear it is proposed to visualize a memory dump, reflecting the structures found. These issues are not covered in this paper.
