K-Tracer: A System for Extracting Kernel Malware Behavior

Kernel rootkits can provide user level-malware programs with the additional capabilities of hiding their malicious activities by altering the legitimate kernel behavior of an operating system. While existing research has studied rootkit hooking behavior in an effort to help develop defense and remediation mechanisms, automated analysis of the actual malicious goals and capabilities of rootkits has not been adequately investigated. In this paper, we present an approach based on a combination of backward slicing and chopping techniques that enables automatic discovery of the system data manipulation behaviors of rootkits. We have built a system called K-Tracer that can dynamically analyze Windows kernel-level code and extract malicious behaviors from rootkits, including sensitive data access, modification and triggers. Our system overcomes several challenges of analyzing the Windows Kernel. We have performed experiments on several kernel malware samples and shown that our system can successfully extract all malicious data manipulation behaviors from them. We also discuss the limitations of our current system on newer rootkit strategies, and provide insight into how it can be extended to handle these