Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.4.661

A study on Memory Analysis Bypass Technique and Kernel Tampering Detection  

Lee, Haneol (Korea University)
Kim, Huy Kang (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.4, 2021 , pp. 661-674 More about this Journal
Abstract
Malware, such as a rootkit that modifies the kernel, can adversely affect the analyst's judgment, making the analysis difficult or impossible if a mechanism to evade memory analysis is added. Therefore, we plan to preemptively respond to malware such as rootkits that bypass detection through advanced kernel modulation in the future. To this end, the main structure used in the Windows kernel was analyzed from the attacker's point of view, and a method capable of modulating the kernel object was applied to modulate the memory dump file. The result of tampering is confirmed through experimentation that it cannot be detected by memory analysis tool widely used worldwide. Then, from the analyst's point of view, using the concept of tamper resistance, it is made in the form of software that can detect tampering and shows that it is possible to detect areas that are not detected by existing memory analysis tools. Through this study, it is judged that it is meaningful in that it preemptively attempted to modulate the kernel area and derived insights to enable precise analysis. However, there is a limitation in that the necessary detection rules need to be manually created in software implementation for precise analysis.
Keywords
Kernel Tampering; Bypass Technique; Detection Methodology; Memory Analysis; Malware;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Quynh, Nguyen Anh, and Yoshiyasu Takefuji, "Towards a tamper-resistant kernel rootkit detector," Proceedings of the 2007 ACM symposium on Applied computing. pp. 276-283, Mar. 2007.
2 Stut gen, Johannes, and Michael Cohen, "Anti-forensic resilient memory acquisition," Digital investigation vol. 10, pp. 105-115, Aug. 2013.
3 Takahiro Haruyama and Hiroshi Suzuki, "One-byte Modification for breaking Memory Forensic Analysis," Black Hat Europe, Mar. 2012.
4 Tsaur, Woei-Jiunn, and Yuh-Chen Chen, "Exploring Rootkit detectors' vulnerabilities using a new windows hidden driver based Rootkit," 2010 IEEE Se cond International Conference on Social Computing, pp. 842-848, Aug. 2010.
5 Cui, Weidong, et al, "Tracking rootkit footprints with a practical memory analysis system," 21st {USENIX} Security Symposium ({USENIX} Security 12). pp. 601-615, Aug. 2012.
6 Luka Milkovic, "Defeating Windows memory forensics," Future Soldier Exhibition & Conference, Sep. 2012.
7 Jake Williams and Alissa Torres, "ADD - Complicating Memory Forensics Trough Memory Disarray," ShmooCon, Dec. 2014.
8 Github, "user:F-INSIGHT", https://github.com/F-INSIGHT/Slides/tree/master/(111217) #FITALK - Windows System Structure.pdf, Dec. 2011.
9 Google, "Intel 64 and IA-32", https://www.intel.co.kr/content/www/kr/ko/architecture-and-technology/64-ia-32-architectures-software-developer-vol-3a-part-1-manual.html, Sep. 2016.
10 Seok-young Jang, "A method for checking execution of rootkit using Windows kernel information," thesis paper, Ajou University, Aug. 2013.
11 Dija, S., et al, "Forensic reconstruction of executables from Windows 7 physical memory," 2016 IEEE International Conference on Computational Intelligence and Computing Research, pp. 1-5, Dec. 2016.
12 Seok-joo Kim, "A Study of Effective Rootkit-Detection base on Windows System," thesis paper, Konkuk University, Aug. 2008.
13 Ji-sung Han and Sang-jin Lee, "The Windows Physical Memory Dump Explorer for Live Forensics," Journal of the Korea Institute of Information Security & Cryptology, 21(2), pp. 71-82, Apr. 2011.   DOI
14 Kyung-ho Lee, "A Countermeasure Mechanism for Anti-memory Forensics based on Process Control Region Analy sis in Windows Environment," thesis paper, Chonnam National University, Aug. 2015.
15 Dae-woon Kim, "Anti-dump techniqueusing PHYSICAL_MEMORY_RUN memory structure manipulation," thesis paper, Chonnam National University, Feb. 2017.
16 Jae-Myung Kim, Dong-Hwi Lee, and Kui-nam Kim, "The study of response model & mechanism against windows kernel compromises," Journal of information and security, 6(3), pp. 1-12, Sep. 2006.   DOI
17 Hyun-Joong Woo, "A study of technique to detect and intercept Windows rootkits," thesis paper, Kyunggi University, Feb. 2005.
18 Min-seok Bang, "Design and Implementation of Detection Tool for Hidden File by Memory Falsification," thesis paper, Dongguk University, Feb. 2013.
19 Young-Bok Kang, Hyun-uk Hwang, Ki-bom Kim, Ki-wook Sohn, and Bong-nam Noh, "Physical Memory Analysis Technology for Malware Detection," Joural of the Korea Institute of Information Security & Cryptology, 24(1), pp. 39-44. Feb. 2014.
20 Dong-eun Shin, "A Study of Detection Method for Heap Memory Resident Malware using Table of Essential Callee Code," thesis paper, Soongsil University, Feb. 2016.
21 Google, "IA-32 Intel 32/64-bit Architecture", https://cs.hac.ac.il/staff/martin/Micro_Modern/slide03.pdf, 2012.