Abstract
Kernel rootkits, malicious software designed to compromise a running
operating system kernel, are difficult to profile due to the variety
and complexity of their attacks as well as the privilege level at
which they run. However, an accurate profile of a kernel rootkit can
be greatly helpful in developing cost-effective rootkit defense solutions.
In this paper we present PoKeR, a kernel rootkit profiler capable of
producing multi-aspect rootkit profiles which include the extraction
of kernel rootkit code, the revelation of rootkit hooking behavior,
the determination of targeted kernel objects (both static and dynamic),
as well as the assessment of user-level impacts. The evaluation results
with a number of real-world rootkits show that PoKeR is able to
accurately profile a variety of rootkits ranging from traditional
ones with system call hooking to more advanced ones with direct kernel
object manipulation. The obtained profiles lead to unique insights
into the rootkits' characteristics.