POSTER: HookLocator: Function Pointer Integrity Check- ing in Kernel Pools via Virtual Machine Introspection

With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function pointers that are potentially prone to malicious exploits. These areas of kernel memory are currently not monitored by kernel integrity checkers. Our novel approach to monitoring the integrity of Windows kernel pools called HookLocator is based entirely on virtual machine introspection and is the only system of its kind to allow both 32 and 64-bit versions of the Windows kernel to be monitored for function pointer integrity. Our system also scales easily to protect multiple virtualized targets. Unlike other kernel integrity checking mechanisms, HookLocator does not require the source code of the operating system, complex reverse engineering efforts, or the debugging map files.