The study of SSDT hook through comparative analysis between live response and memory image
Loading...
Date
Author(s)
Citation for Previous Publication
Link to Related Item
Abstract
Description
The purpose of a kernel rootkit is to prevent detection of a compromised operating system. System Service Dispatch Table (SSDT) hooking has been employed by most Windows kernel rootkits as a method of hiding files, processes and registry keys from system and investigative utilities, by determining what functions become the targets within the operating system. This paper describes a comparative analysis between the detection capabilities of a particular live
response utility, MANDIANT Redline, and a memory image analysis utility, Volatility, when the SSDT has been hooked by a rootkit. This comparative analysis shows that Redline, when compared with Volatility, is significantly limited in its ability to detect SSDT hooks. We show that the limitations of this live response utility are due to the fact that it relies on system calls for detection of SSDT hooks. We further show that Redline fails to uncover other vital evidence that is both available in the memory image, and helpful to the investigation.
Item Type
http://purl.org/coar/resource_type/c_1843
Alternative
Other License Text / Link
Language
en