Kernel integrity checking
Implementation and evaluation
Limitations and future work
KOP (Kernel Object Pinpointer)
SFPD (Subverted Function Pointer Detector)
GHOST (General Hidden Object Scanning Tool)
KOP has two main
A static analysis
Extended type graph
A memory analysis
Compute three set of 4 canonical forms of
information: pointer assignments:
Object type definitions x=y
Declared type and x = &y
relative addresses of *x = y
global variables x = *y
Candidate target type
for generic pointers
Based on the medium-
Modify the algorithm to For example:
create points-to graph _Entry = t286 due to the
an eage (src, dst) function call at line 25
=> (src, dst, n, ops) => (_Entry, t286, 0,
n is a pointer offset (for call@file : 25)
op that specifies the call
or return operation
involved in the
assignment (for context-
Type ambiguities com from two sources:
Consider two constraints when determining the
correct candidate type:
Based on the observation that the data stored by certain
data types must have specific properties
Recursively for their child object up to a certain depth
The key idea is to leverage the kernel memory pool
A dynamic array is usually allocated in to possible ways:
It may take up a whole pool block.
It may extend an object whose last field is defined as an
array of size 0 or 1.
Check each allocated pool block to recognize dynamic
arrays after the object traversal (without dynamic
arrays) is completed.
May incorrectly identify an object for three main
Choosing the wrong candidate when resolving type
Mistaking a dynamic array.
To reduce identification errors, we employ the
following two techniques:
Traverses the kernel memory in multiple rounds.
Use a safe-guard mechanism.
Function pointer checking (SFPD)
A white list of trusted modules
Check every function pointer in the kernel objects found
by KOP based on the following policy:
An explicit function pointer must point to trusted code; an
implicit function pointer must point to either trusted code or
a data object found by KOP; otherwise, the function pointer
is marked as malicious.
Hidden object discovery (GHOST)
Compare the list of all the objects of that type found b
KOP in a memory snapshot with the list of objects
returned by a program such as Task Manager.
KOP were implemented in C# with a total of 16000
lines of code.
Windows Vista SP1 with 63 kernel drivers.
Run in a Vmware virtual machine with 1GB RAM.
SFPD prototype has 1000 lines of C# code
GHOST prototype has 200 lines of C# code
Source code of the Vista SP1 kernel and the 63 drivers
with a total of 5 million lines of code.
Codebase contains 24423 data types and 9629 global
KOP needs less than 48 hours to complete its static
analysis on a 2.2 GHz QuadCore AMD Opteron machine
with 32 GB RAM.
VC (Verified Coverage) =
GC (Gross Coverage) =
Use a 4GHz Intel Xeon Duo Core machine with 3GB
Running time was 8 minutes, including the overhead of
reading the memory snapshot stored on the disk.
Test SFPD with eight real-world kernel malware
samples collected from a public database.
Running on a machine the same as previous page.
SFPD finishes a scan of a memory snapshot in less
than two minutes.
Identified all the malicious function pointers for all
eight malware samples with zero false alarms.
Test GHOST with two real-world kernel-mode
FURootkit (ported the XP-based to Vista SP1)
GHOST correctly identified all hidden objects in both
tests with zero false alarms.
Static analysis could be improved to automatically
handle the kernel implementation corner cases in a
more general way.
Increase the scope of our static analysis to determine
domain constraints for other basic types in addition to
It’s will have error if a very large number of pointers
inside an object is manipulated.
Dynamic kernel data have become a common target
for malware looking to evade traditional code and
static data-based integrity monitors
KOP, a system that can map dynamic kernel objects
with very high coverage and accuracy by leveraging a
set of novel techniques in static source code analysis
and memory analysis