A Forensic Study of the Effectiveness of Selected Anti-Virus Products Against SSDT Hooking Rootkits

Presenter Information

Sami Al-Shaheri, Department of Faculty of Professional Education, Concordia University College of AlbertaFollow
Dale Lindskog, Department of Faculty of Professional Education, Concordia University College of AlbertaFollow
Pavol Zavarsky, Department of Faculty of Professional Education, Concordia University College of AlbertaFollow
Ron Ruhl, Department of Faculty of Professional Education, Concordia University College of AlbertaFollow

Proposal / Submission Type

Peer Reviewed Paper

Location

Richmond, Virginia

Start Date

12-6-2013 9:25 AM

Abstract

For Microsoft Windows Operating Systems, both anti-virus products and kernel rootkits often hook the System Service Dispatch Table (SSDT). This research paper investigates the interaction between these two in terms of the SSDT. To investigate these matters, we extracted digital evidence from volatile memory, and studied that evidence using the Volatility framework. Due to the diversity in detection techniques used by the anti-virus products, and the diversity of infection techniques used by rootkits, our investigation produced diverse results, results that helped us to understand several SSDT hooking strategies, and the interaction between the selected anti-virus products and the rootkit samples.

Keywords: System Service Dispatch Table (SSDT), Anti-virus, Rootkits, Memory Analysis, Volatility

Scholarly Commons Citation

Al-Shaheri, Sami; Lindskog, Dale; Zavarsky, Pavol; and Ruhl, Ron, "A Forensic Study of the Effectiveness of Selected Anti-Virus Products Against SSDT Hooking Rootkits" (2013). Annual ADFSL Conference on Digital Forensics, Security and Law. 4.
https://commons.erau.edu/adfsl/2013/wednesday/4