Open nbulischeck opened 5 years ago
dvadell
commented
5 years ago What about making a shadow copy of the function and compare it? Of course tyton should be loaded in a clean state, but it could detect a modification made afterwards.
Or maybe checksum the whole function?
nbulischeck
commented
5 years ago @dvadell What do you mean by shadow copy? In my mind that's a full copy of the function put into memory and then to check do a byte by byte comparison. I like the checksum idea. The alternative is to do exactly what KHOOK does in the first place (insert instructions) and check to see of they're there. IIRC, KHOOK inserts a jump into the front of the function to get inside the rootkit.
dvadell
commented
5 years ago Yes, that's what I was referring to when I said shadow copy. I don't know what's easier to implement.
But the problem with inserting an instruction (as a canary, I imagine?) like KHOOK does is that you will be changing something. I think it's better to leave everything as it is, and detect any change.
nbulischeck
commented
5 years ago I didn't mean inserting an instruction, but rather using the instruction API to detect insertions. A shadow copy would, I'd imagine, be fairly easy to implement, but performance-wise I'm not keen on copying every syscall in the kernel.
Currently we can't detect if KHOOK has been used to hook kernel functions. This is because it doesn't mess with the pointer, but the function itself by inserting assembly to get it to jump into a custom hook in the LKM.
This should be detectable by (at least in a non-extensible way), comparing the assembly to see if any suspicious jumps are performed immediately in the function.