Abstract: An approach for detecting a kernel-level rootkit is presented. A changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT) is detected. The changed entry results from an installation of suspect software. The changed entry is determined to be not referenced by a white list. A black list is updated to reference the changed entry to indicate the changed entry results from an installation of the kernel-level rootkit. The suspect software is determined to be the kernel-level rootkit based on the changed entry not being referenced by the white list. The changed entry is restored to an entry included in a first state of an operating system kernel. The first state is based on the SSDT and IDT referencing hooks indicated in the white list, where the hooks are not the result of an installation of any kernel-level rootkit.

Abstract: An approach for detecting a kernel-level rootkit is presented. A changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT) is detected. The changed entry results from an installation of suspect software. The changed entry is determined to be not referenced by a white list. A black list is updated to reference the changed entry to indicate the changed entry results from an installation of the kernel-level rootkit. The suspect software is determined to be the kernel-level rootkit based on the changed entry not being referenced by the white list. The changed entry is restored to an entry included in a first state of an operating system kernel. The first state is based on the SSDT and IDT referencing hooks indicated in the white list, where the hooks are not the result of an installation of any kernel-level rootkit.

Abstract: A rootkit monitoring agent (RMA) built into an operating system (OS) kernel for detecting a kernel-based rootkit and preventing subsequent effects of the rootkit. The RMA is activated as a kernel process subsequent to the OS initialization and stores a good state of OS kernel data structures including the System Service Descriptor Table (SSDT) and Interrupt Descriptor Table (IDT). The RMA monitors the SSDT and IDT and detects that a hook previously stored in the good state is changed by an installation of suspect software. The RMA determines the suspect software is a kernel-based rootkit by determining a whitelist does not indicate the changed hook. The RMA restores the changed hook to its good state. The RMA updates a blacklist to reference the changed hook.

Abstract: A rootkit monitoring agent (RMA) built into an operating system (OS) kernel for detecting a kernel-based rootkit and preventing subsequent effects of the rootkit. The RMA is activated as a kernel process subsequent to the OS initialization and stores a good state of OS kernel data structures including the System Service Descriptor Table (SSDT) and Interrupt Descriptor Table (IDT). The RMA monitors the SSDT and IDT and detects that a hook previously stored in the good state is changed by an installation of suspect software. The RMA determines the suspect software is a kernel-based rootkit by determining a whitelist does not indicate the changed hook. The RMA restores the changed hook to its good state. The RMA updates a blacklist to reference the changed hook.