Research On Detecting Hooking Rootkit Based On Kernel Object Manager

At present,Windows operating system is running on most personal computers and servers.But it never get rid of the bad influence of all kinds of malicious code including Rootkit.Rootkit can hide itself to live in the system for a persistent time.It also can escape from scanning of the security software.Its first target is to hide process.So we can detect Rootkit by detecting hidden process.Current methods to detect hidden process can be bypassed by Rootkit.And they are time comsuming.This thesis first analyzes some Rootkit samples and generalizes its formal principle.Then it proposes a multi process view comparing modal and defines two constraints to be satisfied by a trusted process view.Based on this modal the differences between virtual process view,physical process view and user process view can be used to detect hidden process.Virtual process view is built from dispatcher objects which are managed by object manager.Each memory block allocated for a dispatcher object has a Pool Tag.The Pool Tag won't change in the whole life of dispatcher objects.All dispatcher objects can be found by searching Pool Tag in all allocated pages of Non Paged Pool.Then the ower process can be found from dispatcher objects.Some Rootkits may subvirt the virtual process view.A trusted physical process view is built by searching page directory page in physical memory.Windows operating system will allocate a page directory page when creating a process and release it when process exits.Any tampers with the page directory page will cause system crash.After found the page directory page,the hyper space page,and working set page and then PEB page can be found consequently.The process symantic can be recovered from PEB finally.In the end this thesis demenstrates a Rootkit detection system.The physical process view is tamper resistant to Rootkit through anti tamper experiments on Pool Tag,page directory page and PEB.And the experiments on building process view and detecting Rootkits shows it can detect well known Rootkits with a very high success rate and efficiency.