{"title":"Analyzing Detection Avoidance of Malware by Process Hiding","authors":"Mariya Shafat Kirmani, M. T. Banday","doi":"10.1109/IC3I44769.2018.9007293","DOIUrl":null,"url":null,"abstract":"The fact that any program to be executed must be loaded in random access memory makes it forensically critical and target-rich search location for evidence. Digital forensic investigation is incomplete without analyzing the physical memory. Random access memory holds the insights of a running system which constitutes the plethora of information some of which is unique to it. Among other information, random access memory holds running processes and process related information maintained in well-defined data structures. The threads spawned by specific processes also reside in this memory. With the advancement in cyber-attacks, malware tends to be memory resident that is hidden from the operating system to avoid detection via security or forensic tools. Both the user space and kernel space is exploited by hidden. This paper is focused towards analyzing the techniques used by rootkits to hide their processes in the memory achieved via hooking and Direct Kernel Object Manipulation (DKOM), the working of a rootkit and its detection. Having the active malicious processes hidden leads to incorrect results of the forensic investigation, rendering it unacceptable before court of law.","PeriodicalId":161694,"journal":{"name":"2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC3I44769.2018.9007293","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
The fact that any program to be executed must be loaded in random access memory makes it forensically critical and target-rich search location for evidence. Digital forensic investigation is incomplete without analyzing the physical memory. Random access memory holds the insights of a running system which constitutes the plethora of information some of which is unique to it. Among other information, random access memory holds running processes and process related information maintained in well-defined data structures. The threads spawned by specific processes also reside in this memory. With the advancement in cyber-attacks, malware tends to be memory resident that is hidden from the operating system to avoid detection via security or forensic tools. Both the user space and kernel space is exploited by hidden. This paper is focused towards analyzing the techniques used by rootkits to hide their processes in the memory achieved via hooking and Direct Kernel Object Manipulation (DKOM), the working of a rootkit and its detection. Having the active malicious processes hidden leads to incorrect results of the forensic investigation, rendering it unacceptable before court of law.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
