{"id":162937,"date":"2012-08-01T00:00:00","date_gmt":"2012-08-01T00:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/msr-research-item\/tracking-rootkit-footprints-with-a-practical-memory-analysis-system\/"},"modified":"2018-10-16T21:13:20","modified_gmt":"2018-10-17T04:13:20","slug":"tracking-rootkit-footprints-with-a-practical-memory-analysis-system","status":"publish","type":"msr-research-item","link":"https:\/\/www.microsoft.com\/en-us\/research\/publication\/tracking-rootkit-footprints-with-a-practical-memory-analysis-system\/","title":{"rendered":"Tracking Rootkit Footprints with a Practical Memory Analysis System"},"content":{"rendered":"<p>In this paper, we present MAS, a practical memory analysis<br \/>\nsystem for identifying a kernel rootkit\u2019s memory<br \/>\nfootprint in an infected system. We also present two<br \/>\nlarge-scale studies of applying MAS to 848 real-world<br \/>\nWindows kernel crash dumps and 154,768 potential malware<br \/>\nsamples.<br \/>\nError propagation and invalid pointers are two key<br \/>\nchallenges that stop previous pointer-based memory<br \/>\ntraversal solutions from effectively and efficiently analyzing<br \/>\nreal-world systems. MAS uses a new memory<br \/>\ntraversal algorithm to support error correction and stop<br \/>\nerror propagation. Our enhanced static analysis allows<br \/>\nthe MAS memory traversal to avoid error-prone operations<br \/>\nand provides it with a reliable partial type assignment.<br \/>\nOur experiments show that MAS was able to analyze<br \/>\nall memory snapshots quickly with typical running times<br \/>\nbetween 30 and 160 seconds per snapshot and with near<br \/>\nperfect accuracy. Our kernel malware study observes<br \/>\nthat the malware samples we tested hooked 191 different<br \/>\nfunction pointers in 31 different data structures. With<br \/>\nMAS, we were able to determine quickly that 95 out of<br \/>\nthe 848 crash dumps contained kernel rootkits.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this paper, we present MAS, a practical memory analysis system for identifying a kernel rootkit\u2019s memory footprint in an infected system. We also present two large-scale studies of applying MAS to 848 real-world Windows kernel crash dumps and 154,768 potential malware samples. Error propagation and invalid pointers are two key challenges that stop previous [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"msr-content-type":[3],"msr-research-highlight":[],"research-area":[13558],"msr-publication-type":[193716],"msr-product-type":[],"msr-focus-area":[],"msr-platform":[],"msr-download-source":[],"msr-locale":[268875],"msr-post-option":[],"msr-field-of-study":[],"msr-conference":[],"msr-journal":[],"msr-impact-theme":[],"msr-pillar":[],"class_list":["post-162937","msr-research-item","type-msr-research-item","status-publish","hentry","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_publishername":"USENIX Association","msr_edition":"Proceedings of the 21st USENIX Security Symposium","msr_affiliation":"","msr_published_date":"2012-08-01","msr_host":"","msr_duration":"","msr_version":"","msr_speaker":"","msr_other_contributors":"","msr_booktitle":"","msr_pages_string":"","msr_chapter":"","msr_isbn":"","msr_journal":"","msr_volume":"","msr_number":"","msr_editors":"","msr_series":"","msr_issue":"","msr_organization":"","msr_how_published":"","msr_notes":"","msr_highlight_text":"","msr_release_tracker_id":"","msr_original_fields_of_study":"","msr_download_urls":"","msr_external_url":"","msr_secondary_video_url":"","msr_longbiography":"","msr_microsoftintellectualproperty":1,"msr_main_download":"205879","msr_publicationurl":"","msr_doi":"","msr_publication_uploader":[{"type":"file","title":"mas-sec12.pdf","viewUrl":"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2016\/02\/mas-sec12.pdf","id":205879,"label_id":0}],"msr_related_uploader":"","msr_attachments":[{"id":205879,"url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2016\/02\/mas-sec12.pdf"}],"msr-author-ordering":[{"type":"user_nicename","value":"wdcui","user_id":34789,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=wdcui"},{"type":"user_nicename","value":"marcuspe","user_id":32804,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=marcuspe"},{"type":"text","value":"Zhilei Xu","user_id":0,"rest_url":false},{"type":"text","value":"Ellick Chan","user_id":0,"rest_url":false}],"msr_impact_theme":[],"msr_research_lab":[],"msr_event":[],"msr_group":[144840],"msr_project":[],"publication":[],"video":[],"download":[],"msr_publication_type":"inproceedings","related_content":[],"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/162937"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-research-item"}],"version-history":[{"count":2,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/162937\/revisions"}],"predecessor-version":[{"id":533949,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/162937\/revisions\/533949"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=162937"}],"wp:term":[{"taxonomy":"msr-content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-content-type?post=162937"},{"taxonomy":"msr-research-highlight","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-highlight?post=162937"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=162937"},{"taxonomy":"msr-publication-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-publication-type?post=162937"},{"taxonomy":"msr-product-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-product-type?post=162937"},{"taxonomy":"msr-focus-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-focus-area?post=162937"},{"taxonomy":"msr-platform","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-platform?post=162937"},{"taxonomy":"msr-download-source","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-download-source?post=162937"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=162937"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=162937"},{"taxonomy":"msr-field-of-study","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-field-of-study?post=162937"},{"taxonomy":"msr-conference","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-conference?post=162937"},{"taxonomy":"msr-journal","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-journal?post=162937"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=162937"},{"taxonomy":"msr-pillar","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-pillar?post=162937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}