livedm
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
livedm [2010/09/20 10:17] dxu |
livedm [2010/09/27 14:54] (current) dxu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== LiveDM: Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory ====== | + | ====== Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory ====== |
| Dynamic kernel memory has been a popular target of recent kernel | Dynamic kernel memory has been a popular target of recent kernel | ||
| malware due to the difficulty of determining the status of volatile dynamic kernel | malware due to the difficulty of determining the status of volatile dynamic kernel | ||
| Line 22: | Line 22: | ||
| a reliable analysis of such behavior by guiding the inspection only to the | a reliable analysis of such behavior by guiding the inspection only to the | ||
| events relevant to the attack. | events relevant to the attack. | ||
| + | |||
| ===== Publications ===== | ===== Publications ===== | ||
| - | * "Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory". Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. To appear in the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), Ottawa, Canada, September 2010 | + | * "Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory". Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. In proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), Ottawa, Canada, September 2010 |
| - | * [[http://www.cs.purdue.edu/homes/rhee/pubs/raid2010_rhee.pdf|Paper]] | + | * [[http://www.springerlink.com/content/a3w252328185412h/fulltext.pdf|Paper]] |
| * [[http://www.cs.purdue.edu/homes/rhee/pubs/raid2010_slides.pdf|Slides]] | * [[http://www.cs.purdue.edu/homes/rhee/pubs/raid2010_slides.pdf|Slides]] | ||
| + | ===== Demo ===== | ||
| + | This video demonstrates dynamic changes of the kernel memory map and detection of kernel rootkits that hide dynamic kernel objects by manipulating pointers. | ||
| + | * Main technique: Live kernel object map | ||
| + | * Applications: Hidden PCB and kernel driver detector | ||
| + | * Note: some parts of a video clip are trimmed to reduce its play time. | ||
| + | * [[http://www.cs.purdue.edu/homes/rhee/pubs/raid2010_livedm.avi|Demo]] in AVI format | ||
| + | |||
| + | |||
| ===== People ===== | ===== People ===== | ||
livedm.1284992271.txt.gz · Last modified: 2010/09/20 10:17 (external edit)
Page Tools
