this is for holding javascript data
Igor.Korkin deleted file 4.2.1. Inside EPROCESS detection.tex
over 9 years ago
Commit id: f34a64d98714bad6ba652a3d511f1c3464196b11
deletions | additions
diff --git a/4.2.1. Inside EPROCESS detection.tex b/4.2.1. Inside EPROCESS detection.tex
deleted file mode 100644
index b6878ee..0000000
--- a/4.2.1. Inside EPROCESS detection.tex
+++ /dev/null
...
\subsubsection{Inside EPROCESS detection}
When a process has been started a new content is created, and information about new object is added to different systems lists. A significant number of such lists make it difficult to hide the process well; therefore we usually speak about hiding the process only from built-in tools. There are a lot of approaches to process detection, so let us name some of them. There are some approaches based on additional objects structures lists, such as processes list from CSRSS.EXE, thread-based scheduling list and others [83, 84]. There are some heuristic analyzer approaches which are based on hooking functions, such as SwapContext or KiFastCallEntry. The Volatility Project includes various plugins list to stealth process detection [85, 86, 87].
Grizzard’s approach [88] was based on locating x86 paging structures in memory images. Another MAS tool which was described in paper [88] uses memory crash dump file to rootkit detection, for this reason it is impossible to apply this method in commodity systems.
Another process detection approach has been suggested by Schuster [90]. This approach is based on the fact that values of some EPROCESS fields are either known or exceed the constant, for example 0x8000_0000. Author’s approach has a number of important disadvantages: it is difficult to achieve its portability on different versions of Windows OS, as well as it is vulnerable to field modifications.
Another approach was based on signature search [91]. The authors suggest new graphs signatures, which can evaluate contingent structures in Linux OS. This method is also vulnerable to specific byte modifications. It is also difficult to make and test these graphs signatures for new Windows versions, because it requires a specialist’s involvement.
Schuster’s approach [90] was presented in paper [92]. It proposed including only robust fields in EPROCESS signature. If malware modifies one of these fields, the system crashes. To search these robust fields the author suggested control memory access with the help of adapted XEN hypervisor and VMware. The major drawback of this approach is its applicability only to structures with a lot of elements like EPROCESS, for which it is possible to find robust signature. Therefore it is impossible to apply this method to DRIVER_OBJECT structure detection.
