{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:40:06Z","timestamp":1763458806031,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,12,5]],"date-time":"2017-12-05T00:00:00Z","timestamp":1512432000000},"content-version":"vor","delay-in-days":365,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1117369,1527398"],"award-info":[{"award-number":["1117369,1527398"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,12,5]]},"DOI":"10.1145\/3015135.3015138","type":"proceedings-article","created":{"date-parts":[[2016,12,7]],"date-time":"2016-12-07T15:36:32Z","timestamp":1481124992000},"page":"1-12","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Detecting rootkits with the RAI runtime application inventory"],"prefix":"10.1145","author":[{"given":"Shabnam","family":"Aboughadareh","sequence":"first","affiliation":[{"name":"The University of Texas at Arlington"}]},{"given":"Christoph","family":"Csallner","sequence":"additional","affiliation":[{"name":"The University of Texas at Arlington"}]}],"member":"320","published-online":{"date-parts":[[2016,12,5]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Trusted Platform Module. ISO\/IEC 11889 May 2009."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516650"},{"key":"e_1_3_2_1_3_1","unstructured":"N. Bareil. ld-linux.so ELF hooker. http:\/\/justanothergeek.chdir.org\/2011\/11\/ld-linuxso-elf-hooker\/. Accessed Sept. 2016."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/11799313_17"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/1077084"},{"key":"e_1_3_2_1_6_1","volume-title":"linux-syscall-hooker. https:\/\/github.com\/ebradbury\/linux-syscall-hooker. Accessed","author":"Bradbury E.","year":"2016","unstructured":"E. Bradbury. linux-syscall-hooker. https:\/\/github.com\/ebradbury\/linux-syscall-hooker. Accessed Sept. 2016."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5555\/1247415.1247417"},{"volume-title":"Aug.","year":"2012","key":"e_1_3_2_1_8_1","unstructured":"cert.pl. More human than human: Flame's code injection techniques. https:\/\/www.cert.pl\/en\/news\/single\/more-human-than-human-flames-code-injection-techniques\/, Aug. 2012. Accessed Sept. 2016."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855711.1855736"},{"key":"e_1_3_2_1_10_1","volume-title":"Blach Hat Europe","author":"Clowes S.","year":"2001","unstructured":"S. Clowes. Injectso: Modifying and spying on running processes under linux and solaris. In Blach Hat Europe, Nov. 2001."},{"key":"e_1_3_2_1_11_1","volume-title":"Black Hat USA","author":"Conover M.","year":"2009","unstructured":"M. Conover and T.-c. Chiueh. Code injection from the hypervisor: Removing the need for in-guest agents. Black Hat USA, July 2009."},{"key":"e_1_3_2_1_12_1","volume-title":"Suterusu rootkit: Inline kernel function hooking on x86 and ARM. https:\/\/poppopret.org\/2013\/01\/07\/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm\/. Accessed","author":"Coppola M.","year":"2016","unstructured":"M. Coppola. Suterusu rootkit: Inline kernel function hooking on x86 and ARM. https:\/\/poppopret.org\/2013\/01\/07\/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm\/. Accessed Sept. 2016."},{"key":"e_1_3_2_1_13_1","volume-title":"Powerful disassembler library for x86\/amd64. https:\/\/github.com\/gdabah\/distorm. Accessed","author":"Dabah G.","year":"2016","unstructured":"G. Dabah. Distorm: Powerful disassembler library for x86\/amd64. https:\/\/github.com\/gdabah\/distorm. Accessed Sept. 2016\"."},{"volume-title":"State of infections report: Q4","year":"2014","key":"e_1_3_2_1_14_1","unstructured":"Damballa. State of infections report: Q4 2014. http:\/\/landing.damballa.com\/state-infections-report-q4-2014.html. Accessed Sept. 2016."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966920"},{"key":"e_1_3_2_1_16_1","volume-title":"Using CPU system management mode to circumvent operating system security functions. CanSecWest\/core06","author":"Duflot L.","year":"2006","unstructured":"L. Duflot, D. Etiemble, and O. Grumelard. Using CPU system management mode to circumvent operating system security functions. CanSecWest\/core06, 2006."},{"key":"e_1_3_2_1_17_1","volume-title":"Kernel address space layout randomization","author":"Edge J.","year":"2013","unstructured":"J. Edge. Kernel address space layout randomization. Oct. 2013."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","unstructured":"W. Felter A. Ferreira R. Rajamony and J. Rubio. An updated performance comparison of virtual machines and Linux containers. Technical Report RC25482 IBM Research July 2014.","DOI":"10.1109\/ISPASS.2015.7095802"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.71"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD.2014.27"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1950365.1950398"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.5555\/1076346"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855768.1855792"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1880043.1880045"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1133058.1133063"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420983"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/191177.191183"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.45"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.19"},{"key":"e_1_3_2_1_30_1","volume-title":"Duqu: A stuxnet-like malware found in the wild. Technical report","author":"Cryptography Laboratory","year":"2011","unstructured":"Laboratory of Cryptography and System Security (CrySyS). Duqu: A stuxnet-like malware found in the wild. Technical report, Budapest University of Technology and Economics, Oct. 2011."},{"key":"e_1_3_2_1_31_1","volume-title":"Black Hat Europe","author":"Lineberry A.","year":"2009","unstructured":"A. Lineberry. Malicious code injection via \/dev\/mem. Black Hat Europe, Mar. 2009."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314354.1314362"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5555\/1884848.1884851"},{"key":"e_1_3_2_1_34_1","first-page":"2010","author":"Matrosov A.","year":"2010","unstructured":"A. Matrosov, E. Rodionov, D. Harley, and J. Malcho. Stuxnet under the microscope. ESET LLC (September 2010), 2010.","journal-title":"Stuxnet under the microscope. ESET"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1352592.1352625"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.2317"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.2197"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382202"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.5555\/559906"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.5555\/1496711.1496718"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1622103.1629656"},{"key":"e_1_3_2_1_42_1","first-page":"221","volume-title":"Proc. USENIX Summer Technical Conference","author":"Olsson R. A.","year":"1990","unstructured":"R. A. Olsson, R. H. Crawford, and W. W. Ho. Dalek: A GNU, improved programmable debugger. In Proc. USENIX Summer Technical Conference, pages 221--232. USENIX, June 1990."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920269"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.32"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.5555\/1251375.1251388"},{"key":"e_1_3_2_1_46_1","volume-title":"May","author":"Ponemon Institute","year":"2014","unstructured":"Ponemon Institute. 2014 cost of data breach study: Global analysis, May 2014."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/1433006.1433008"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/1519065.1519072"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2133375.2133377"},{"key":"e_1_3_2_1_50_1","first-page":"2","volume-title":"Hack in the Box security Conference","author":"Rutkowska J.","year":"2005","unstructured":"J. Rutkowska. System virginity verifier. In Hack in the Box security Conference, pages 2--25, 2005."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.5555\/1251375.1251391"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.scico.2008.09.005"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294294"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095812"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.5555\/2181153"},{"key":"e_1_3_2_1_56_1","volume-title":"sKyWIper (a.k.a. flame a.k.a. flamer): A complex malware for targeted attacks. Technical report","author":"Team Iper Analysis","year":"2012","unstructured":"sKyWIper Analysis Team. sKyWIper (a.k.a. flame a.k.a. flamer): A complex malware for targeted attacks. Technical report, Budapest University of Technology and Economics, May 2012."},{"key":"e_1_3_2_1_57_1","volume-title":"Lime: Linux memory extractor. https:\/\/github.com\/504ensicslabs\/lime","author":"Sylve J.","year":"2016","unstructured":"J. Sylve. Lime: Linux memory extractor. https:\/\/github.com\/504ensicslabs\/lime. September 2016."},{"key":"e_1_3_2_1_58_1","volume-title":"Black Hat USA Briefings. UBM Tech","author":"Torrey J.","year":"2014","unstructured":"J. Torrey. MoRE shadow walker: TLB-splitting on modern x86. In Black Hat USA Briefings. UBM Tech, Aug. 2014."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.5555\/2034161.2034196"},{"key":"e_1_3_2_1_60_1","volume-title":"Black Hat Europe","author":"Xue F.","year":"2008","unstructured":"F. Xue. Attacking antivirus. In Black Hat Europe, Mar. 2008."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.02.002"}],"event":{"name":"SSPREW '16: Software Security, Protection, and Reverse Engineering Workshop","acronym":"SSPREW '16","location":"Los Angeles California USA"},"container-title":["Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3015135.3015138","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3015135.3015138","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3015135.3015138","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:35:32Z","timestamp":1763458532000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3015135.3015138"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,12,5]]},"references-count":61,"alternative-id":["10.1145\/3015135.3015138","10.1145\/3015135"],"URL":"https:\/\/doi.org\/10.1145\/3015135.3015138","relation":{},"subject":[],"published":{"date-parts":[[2016,12,5]]},"assertion":[{"value":"2016-12-05","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}