Detailed Information
Cited 1 time in 
Cited 2 time in 
Cited 2 time in
Metadata Downloads
Dual-Mode Kernel Rootkit Scan and Recovery with Process ID Brute-Force
- Issue Date
- Mar-2017
- Publisher
- AMER SCIENTIFIC PUBLISHERS
- Keywords
- Rootkit; PIDB; AL-DKOM; Dual-Mode
- Citation
- ADVANCED SCIENCE LETTERS, v.23, no.3, pp 1573 - 1577
- Pages
- 5
- Indexed
- SCOPUS
- Journal Title
- ADVANCED SCIENCE LETTERS
- Volume
- 23
- Number
- 3
- Start Page
- 1573
- End Page
- 1577
- ISSN
- 1936-6612
1936-7317
- Abstract
- Rootkit is a malware that attacks a system continuously by hiding files, processes, and registries in a system. DKOM (Direct Kernel Object Manipulation) is a process hiding technique that manipulates a kernel object. AL-DKOM (All Link-Direct Kernel Object Manipulation) is an extended version of DKOM that manipulates all the modifiable links in the kernel object. It is difficult to detect with existing tools. This paper designed and implemented a new AL-DKOM detection system using dual-mode operation and PIDB-based process scan that was not possible with existing List Walking method. In addition, we explain the recovery procedure of the infected system and flexible system management via process recovery that has not been tried before. We then show the performance of the new system by comparing and analyzing the effectiveness of the new system and existing rootkit scanning tools with real rootkit samples.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - ETC > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
Related Researcher
- Kim, Dong Ho
- Software Education Institute