Introduction

As rootkits become increasingly popular and more sophisticated than ever before, detection methods must also evolve. While rootkit technologies have evolved beyond API hooking methods, detectors have also evolved beyond the hook detection ages. At first rootkits such as FU[5] were detected using various methods which exploited its weak and proof-of-concept design by applications such as Blacklight[2]. These specific weaknesses were addressed in FUTo[7]. However, some still remain excluding the topic of this paper.

RAIDE[1], a rootkit detection tool, uses a memory signature scanning method in order to find EPROCESS blocks hidden by FUTo. This specific implementation works, however, it too has its weaknesses. This paper attempts to outline the general concepts of implementing a successful rootkit detection method using memory signatures.

The following chapters will discuss how to safely enumerate system memory, what to look for when building a memory signature, what to do once a memory signature has been found, and potential methods of breaking memory signatures. Finally, an accompanying tool will be used to concretely illustrate the subject of this paper.

After reading the following paper, the reader should have an understanding of the concepts and issues related to kernel object detection using memory signatures. The author believes this to be an acceptable method of rootkit detection. However, as with most things in the security realm, no one technique is the ultimate solution and this technique should only be considered complimentary to other known detection methods.