The study of SSDT hook through comparative analysis between live response and memory image

  • Author(s) / Creator(s)
  • The purpose of a kernel rootkit is to prevent detection of a compromised operating system. System Service Dispatch Table (SSDT) hooking has been employed by most Windows kernel rootkits as a method of hiding files, processes and registry keys from system and investigative utilities, by determining what functions become the targets within the operating system. This paper describes a comparative analysis between the detection capabilities of a particular live
    response utility, MANDIANT Redline, and a memory image analysis utility, Volatility, when the SSDT has been hooked by a rootkit. This comparative analysis shows that Redline, when compared with Volatility, is significantly limited in its ability to detect SSDT hooks. We show that the limitations of this live response utility are due to the fact that it relies on system calls for detection of SSDT hooks. We further show that Redline fails to uncover other vital evidence that is both available in the memory image, and helpful to the investigation.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International