[Brookit]

We present a novel rootkit detection technique called "kernel code tunneling". The technique uses a custom-made dynamic instrumentation framework to analyze execution flow.

While similar dynamic instrumentation engines do exist (e.g. Intel PIN), our engine offers significant advantages:
- it was designed for kernel mode operation
- it was designed to correctly handle potentially offensive code

Current rootkit detection engines either use methods like "cross view", or analyze specific data areas (e.g. IDT, SSDT) or code areas (e.g. they search for inline patches). However, rootkits are getting more and more complex. No more are inline patches limited to the first bytes of a function: we can now find them anywhere in the execution flow. Instead of a simple JMP/CALL to the malicious code, complex control transfer trampolines are now commonplace.

Our presentation will cover the following topics:
- design of a kernel-based dynamic instrumentation engine
- overcoming kernel-specific issues (IRQ levels, async tasks, self modifying code)
- analysis of various tunneling sessions, with/without active rootkits
- specific cases when instrumentation has provided us with enough data to effectively *clean* the machine

https://www.blackhat.com/html/bh-eu-11/ ... ml#Chiriac

Unfortunately the provided driver (KLUP.sys) is just a mix up of the other files included. So there is no driver! :?

[EP_X0FF]

Nothing new or "novel"

[Alex]

Mihai Chiriac's idea is correct but this kind of detection can be bypassed by such rootkits as TDL. This detection is based on fact that there is some suspicious code outside of non suspicious kernel modules, but if rootkit's code will be nested inside code section of these modules and a tool will not be capable of comparing mapped code section with protected module stored on disk - this method will fail. Currently there is no problem to detect rootkits such as TDL, there are more problems with disarming rootkits.

[sysenter]

Hi guys,

The archive was fixed - I assume there was some sort of a problem with the BlackHat servers.

Dear EP_XOFF, I am not aware of existing dynamic binary instrumentation engines that are capable of kernel mode operation, or being used in the context of compromise detection. I would really appreciate it if you could send me a link to existing research.

The whitepaper also presents an interesting disinfection technique

[Cr4sh]

sysenter
Thanks for the interesting research. I think, that your tools can be more useful for code coverage analysis during kernel drivers fuzzing, than a rootkits detection.
Do you planning to publish source code or sdk for your dynamic binary instrumentation engine?

[sysenter]

Hi Cr4sh,

Indeed, I first designed the engine for other purposes than rootkit detection. However, I saw great potential in this approach and decided to give it a whirl :)
I'm currently porting the engine to x64 and this will take a few months. Afterwards, I will probably release a binary blob + SDK, so stay tuned ;)