LiveDM: kernel malware analysis with un-tampered and temporal views of dynamic kernel memory

摘要: Dynamic kernel memory has been a popular target of recent malware due to the difficulty determining status volatile dynamic objects. Some existing approaches use mapping identify objects and check integrity. The snapshot-based maps generated by these are based on which may have manipulated malware. In addition, because snapshot only reflects at single time instance, its usage is limited in temporal execution analysis. We introduce new runtime scheme called allocation-driven mapping, systematically identifies objects, including their types lifetimes. works capturing object allocation deallocation events. Our system provides number unique benefits analysis: (1) an un-tampered view wherein data unaffected manipulation (2) be used analysis execution. demonstrate effectiveness two scenarios. First, we build hidden detector that uses detect hiding attacks 10 rootkits directly manipulate (DKOM). Second, develop behavior monitor tracks visualizes triggered Allocation-driven enables reliable such guiding inspection events relevant attack.