Authorea

Igor.Korkin added 4.2.2. Inside DRIVER_OBJECT detection.tex over 9 years ago

Commit id: ea41f326734fbefcff9ae52a8d1455e61fd84320

deletions | additions

\subsubsection{4.2.2. Inside DRIVER_OBJECT detection} In comparison with process creation, driver loading causes much fewer system modifications, which makes it possible to achieve better drivers hiding. Drivers hiding was described in popular books such as ‘Rootkits: Subverting the Windows Kernel’ [93] by G.Hoglund and J.Butler, and in new B. Blunden’s book ‘The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System’ [31]. It is necessary to mention drivers lists, which are not used by built-in tools: PsLoadModuleList [73], ObjectDirectory lists [73], Service Control Manager (SCM) drivers list [94]. Detection of hidden drivers is very similar to stealth process detection. Schuster’s signature approach [90] has been adapted by W.Tsaur and L.Yeh to drivers detection [95]. However, their approach is also vulnerable to target byte modification. The following non-built-in well-known tools which support Windows 8 are: XueTr by linxer, PowerTool by ithurricane, TDSSKiller by Kaspersky Lab. In terms of driver detection three first tools have similar detection algorithms, which are based on byte-to-byte signature search among DRIVER_OBJECT structures. TDSSKiller uses a completely different detection algorithm. Its algorithm uses a system list, that holds information about new drivers added by SCM. By field values modifications it is possible to hide specified driver structures from all these tools. There are modifications that do not stop drivers or corrupt OS functionality. It will be discussed further how to improve Schuster’s idea [90] to create a rootkit detection approach, which is both resilient to byte modification and still portable to new Windows versions for both 32-bit and 64-bit editions.