Dynamic Detection of Process-Hiding Kernel Rootkits

Stealth rootkits that hide themselves on victim systems pose a major threat to computer systems. They are usually evasive as they use sophisticated stealth techniques to conceal files, processes, kernel modules, and other types of objects, making it extremely challenging to detect their presence in the victim system. However, current detection techniques are mostly system-specific and ineffective for unknown rootkits. In this paper, we present the design, implementation and evaluation of XView, a dynamic cross-view based approach to detect rootkits by identifying hidden processes. To this end, we continuously maintain a list of active processes outside the monitored system, and compare it with the list reported by the guest system. XView overcomes the semantic gap by intercepting and interpreting system call events of the guest operating system in a non-intrusive manner. It dynamically monitors the guest system and reconstructs semantic-level process information. Since it is not directed against any specific hiding techniques, it is able to detect unknown rootkits. We have developed an XView prototype and conducted experiments using eleven rootkit samples. Our evaluation results show that XView is able to identify processhiding behaviors of all samples with modest performance