this is for holding javascript data
Igor.Korkin added Detection Shadow Walker-like Rootkits.tex
over 9 years ago
Commit id: f49f0d538a68e6f282508a5d06a9e04561221de1
deletions | additions
diff --git a/Detection Shadow Walker-like Rootkits.tex b/Detection Shadow Walker-like Rootkits.tex
new file mode 100644
index 0000000..55038df
--- /dev/null
+++ b/Detection Shadow Walker-like Rootkits.tex
...
\textbf{Detection Shadow Walker-like Rootkits}
It is important to describe Shadow Walker rootkit (SW), which was presented by S.Sparks and J.Butler at the Black Hat conference in 2006 [99]. Despite the time passed this approach is still relevant. This rootkit can hide memory areas with the help of hooking the page fault interrupt handler. As a result, when accessing the memory pages containing the rootkit, their contents are replaced with false values.
Existing popular software [23, 30] does not detect rootkits of this type. Some authors propose to detect the rootkit using either program code, which works in more privileged mode than operation system (e.g. VMX mode or SMM), or hardware memory dump tools.
According to [100] this rootkit can be detected with the help of Interrupt Descriptor Table (IDT) analysis, because if SW has been installed, the page fault (#PF) handler is modified.
It is possible to detect this type of rootkits with also MASHKA. During the memory page walk we need to measure the duration of the memory page access. We need to make two successive attempts to access memory page. During the first access the memory page data loading occurs from page file to memory and system buffers (such as TLB) initialization occurs. The second memory access occurs when measuring the duration of memory page access. The memory region with too large access duration is the stealth memory region. Gaining access to the contents of this region depends on the rootkit implementation. For example it is possible to modify #PF handler. As a result, it is possible to control memory access and read hidden memory regions.
