| rootkits are tools used by hackers to mantain root access to the system and conduct malicious activities after cracking a computer system. rootkits can be classified into application level rootkits and kernel level rootkits according to the running level.Currently, the technology of detecting the application level rootkits is useable, but there is no tools can excellently defense kenel level rootkits. The main reason is that the privilege of kernel level rootkits is the same as the anti-rootkits' In this paper, we first analyze the mechnism used by kernel level rootkits. We design and implement a anti-rootkit module in lguest targeted on linux kernel level rootkits. The module's policy are:Only the code from .text of kernel core can perform the write operation to memory region protected by the moduleOnly the code from .text of kernel core can perform the write operation to virtual privileged registers.The protected memory regions are made up of .text of kernel core, .rodata, __ex_table and other important global data.The protected privileged registers are made up of IDTR, GDTR. SYSENTER_EIP_MSR etc.Our prototype acheive the goal of write protection to protected memory by clearing the _PAGE_RW bit of the shaddow page table of protected memory. Our prototype acheive the goal of write protection privileged registers by hook the hypercall of the write operation to privileged registers.The result of experiments show that our system can acheive the goal of anti-rootkits at a little performance cost... |
PDF Full Text Request