{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:28:45Z","timestamp":1750307325317,"version":"3.41.0"},"reference-count":21,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2011,8,4]],"date-time":"2011-08-04T00:00:00Z","timestamp":1312416000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2011,8,4]]},"abstract":"Kernel level rootkits pose a serious threat today as they not only mask the presence of themselves but also mask the malware that comes attached with them. Rootkits achieve such stealthy behavior by manipulating the control flow of system calls by hooks and kernel objects, viz., driver and process list directly. Existing Antiviruses that rely on signature based techniques for detection of malwares are effective only against known rootkits. However, as hackers change coding style of rootkits, Antiviruses fail to detect them and rootkits and their malicious activities are hidden from the view of the administrator. Thus, all data on the compromised system becomes vulnerable to theft and all services running on it can be misused by the remote attacker without even the slightest chance of being discovered. Other rootkit detection techniques such as integrity checking, alternate trusted medium, and memory dumping require frequent offline analysis and fail to unload or block the rootkit.<\/jats:p>\n This paper addresses, these challenges and proposes an online cross view difference and behavior based kernel rootkit detector to overcome them. Our proposed solution Kernel Rootkit Trojan Detector (KeRTD) is a host-based and cross view difference-based solution that enables online analysis and aids detection of rootkit immediately. A simple view difference of snapshot of Task manager in user mode and KeRTD Process and Driver List helps the detection of hidden rootkits and other hidden malwares. All rootkits follow a generic pattern of infection such as installing kernel hooks and modification of kernel objects, etc. This very generic behavior of rootkit is exploited in KeRTD to detect and restore the kernel hooks, thus blocking them from further infection. Every file and memory accesses are verified against Access Control List to avoid subversion of KeRTD and operating system kernel. This proposal has been implemented on windows operating system and tested for various methods of attack by kernel rootkits. The results confirm the detection of the kernel rootkits.<\/jats:p>","DOI":"10.1145\/1988997.1989022","type":"journal-article","created":{"date-parts":[[2011,8,10]],"date-time":"2011-08-10T16:16:22Z","timestamp":1312992982000},"page":"1-9","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["An online cross view difference and behavior based kernel rootkit detector"],"prefix":"10.1145","volume":"36","author":[{"given":"Chandrabhanu","family":"Mahapatra","sequence":"first","affiliation":[{"name":"National Institute of Technology Tiruchirappalli, Tiruchirappalli, Tamil Nadu, India"}]},{"given":"S.","family":"Selvakumar","sequence":"additional","affiliation":[{"name":"National Institute of Technology Tiruchirappalli, Tiruchirappalli, Tamil Nadu, India"}]}],"member":"320","published-online":{"date-parts":[[2011,8,4]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2008.06.003"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2005.39"},{"volume-title":"Proceedings of the 4th ACM European conference on Computer systems, 369--384","author":"Grizzard J. B.","key":"e_1_2_1_3_1","unstructured":"Grizzard , J. B. , Levine , J. G. , and Owen , H. L . 2009. Reestablishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table . In Proceedings of the 4th ACM European conference on Computer systems, 369--384 . Grizzard, J. B., Levine, J. G., and Owen, H. L. 2009. Reestablishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table. In Proceedings of the 4th ACM European conference on Computer systems, 369--384."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1519065.1519072"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1698750.1698752"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.csi.2009.04.004"},{"key":"e_1_2_1_7_1","volume-title":"Programming The Windows Driver Model","author":"Oney W.","unstructured":"Oney , W. 2003. Programming The Windows Driver Model , 2 nd Edition. Microsoft Press . Oney, W. 2003. Programming The Windows Driver Model, 2nd Edition. Microsoft Press.","edition":"2"},{"key":"e_1_2_1_8_1","unstructured":"RicVieler. 2007. Professional Rootkits WroxPress. RicVieler. 2007. Professional Rootkits WroxPress."},{"key":"e_1_2_1_9_1","volume-title":"Microsoft Windows Internals","author":"Russinovich M. E.","year":"2003","unstructured":"Russinovich , M. E. , Solomon , D. A. Microsoft Windows Internals , Fourth Edition Microsoft Windows Server 2003 , Windows XP, and Windows 2000, Microsoft Press , December 08, 2004. Russinovich, M. E., Solomon, D. A. Microsoft Windows Internals, Fourth Edition Microsoft Windows Server 2003, Windows XP, and Windows 2000, Microsoft Press, December 08, 2004."},{"key":"e_1_2_1_10_1","volume-title":"Documentation, downloads and additional resources. Retrieved","author":"Windows Sysinternals","year":"2010","unstructured":"Windows Sysinternals : Documentation, downloads and additional resources. Retrieved August 3, 2010 , from Microsoft Corporation : http:\/\/technet.microsoft.com\/en-us\/sysinternals\/ Windows Sysinternals: Documentation, downloads and additional resources. Retrieved August 3, 2010, from Microsoft Corporation: http:\/\/technet.microsoft.com\/en-us\/sysinternals\/"},{"key":"e_1_2_1_11_1","volume-title":"Retrieved","author":"Rootkit","year":"2010","unstructured":"Rootkit -- Wikipedia , the free encyclopedia . Retrieved July 10, 2010 , from Wikimedia Foundation : http:\/\/en.wikipedia.org\/wiki\/Rootkit Rootkit -- Wikipedia, the free encyclopedia. Retrieved July 10, 2010, from Wikimedia Foundation: http:\/\/en.wikipedia.org\/wiki\/Rootkit"},{"key":"e_1_2_1_12_1","unstructured":"OSR Online -- The Home page for Windows Driver Developers. Retrieved August 1 2010: http:\/\/www.osronline.com\/ OSR Online -- The Home page for Windows Driver Developers. Retrieved August 1 2010: http:\/\/www.osronline.com\/"},{"key":"e_1_2_1_13_1","volume-title":"Rootkits: The Obscure Hacker Attack. Retrieved","author":"Danseglio M.","year":"2010","unstructured":"Danseglio , M. , and Bailey , T . Rootkits: The Obscure Hacker Attack. Retrieved August 5, 2010 , from Microsoft Corporation : http:\/\/technet.microsoft.com\/en-us\/library\/cc512642.aspx Danseglio, M., and Bailey, T. Rootkits: The Obscure Hacker Attack. Retrieved August 5, 2010, from Microsoft Corporation: http:\/\/technet.microsoft.com\/en-us\/library\/cc512642.aspx"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/191177.191183"},{"key":"e_1_2_1_15_1","volume-title":"Introducing Ring -3 Rootkits","author":"Tereshkin A.","year":"2009","unstructured":"Tereshkin , A. , and Wojtczuk , R . Introducing Ring -3 Rootkits , 2009 . Retrieved August 5, 2010, from Invisible Things Lab : http:\/\/invisiblethingslab.com\/resources\/bh09usa\/Ring%20-3%20Rootkits.pdf Tereshkin, A., and Wojtczuk, R. Introducing Ring -3 Rootkits, 2009. Retrieved August 5, 2010, from Invisible Things Lab: http:\/\/invisiblethingslab.com\/resources\/bh09usa\/Ring%20-3%20Rootkits.pdf"},{"key":"e_1_2_1_16_1","unstructured":"Ries C.Inside windows rootkits. Retrieved September 7 2010: http:\/\/www.madchat.fr\/vxdevl\/library\/Inside%20Windows%20Rootkits.pdf Ries C.Inside windows rootkits. Retrieved September 7 2010: http:\/\/www.madchat.fr\/vxdevl\/library\/Inside%20Windows%20Rootkits.pdf"},{"key":"e_1_2_1_17_1","unstructured":"Windows Rootkit Overview. Retrieved September 7 2010 from Symantec Corporation: http:\/\/www.symantec.com\/avcenter\/reference\/windows.rootkit.overview.pdf Windows Rootkit Overview. Retrieved September 7 2010 from Symantec Corporation: http:\/\/www.symantec.com\/avcenter\/reference\/windows.rootkit.overview.pdf"},{"key":"e_1_2_1_18_1","unstructured":"GMER -- Rootkit Detector and Remover. Retrieved November 11 2010: http:\/\/www.gmer.net\/ GMER -- Rootkit Detector and Remover. Retrieved November 11 2010: http:\/\/www.gmer.net\/"},{"key":"e_1_2_1_19_1","unstructured":"Rootkit.com. Retrieved August 2 2010: http:\/\/www.rootkit.com Rootkit.com. Retrieved August 2 2010: http:\/\/www.rootkit.com"},{"key":"e_1_2_1_20_1","unstructured":"Hex-Rays Home Page. Retrieved March 9 2011 from Hex-Rays SA: http:\/\/www.hex-rays.com\/idapro\/idadownfreeware.htm\/ Hex-Rays Home Page. Retrieved March 9 2011 from Hex-Rays SA: http:\/\/www.hex-rays.com\/idapro\/idadownfreeware.htm\/"},{"key":"e_1_2_1_21_1","volume-title":"Phase I and Phase II","author":"Mahapatra C.","year":"2010","unstructured":"Mahapatra , C. Kernel Rootkit Trojan Detection. M. Tech. Project reports , Phase I and Phase II , December 2010 and May 2011, Dept. of CSE, National Institute of Technology , Tiruchirappalli, Tamil Nadu, India. Mahapatra, C. Kernel Rootkit Trojan Detection. M. Tech. Project reports, Phase I and Phase II, December 2010 and May 2011, Dept. of CSE, National Institute of Technology, Tiruchirappalli, Tamil Nadu, India."}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1988997.1989022","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1988997.1989022","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T11:06:00Z","timestamp":1750244760000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1988997.1989022"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,8,4]]},"references-count":21,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2011,8,4]]}},"alternative-id":["10.1145\/1988997.1989022"],"URL":"https:\/\/doi.org\/10.1145\/1988997.1989022","relation":{},"ISSN":["0163-5948"],"issn-type":[{"type":"print","value":"0163-5948"}],"subject":[],"published":{"date-parts":[[2011,8,4]]},"assertion":[{"value":"2011-08-04","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}