Shue, Craig A.
Rootkits are dangerous and hard to detect. A rootkit is malware specifically designed to be stealthy and maintain control of a computer. Existing detection mechanisms are insufficient to reliably detect rootkits, due to fundamental problems with the way they operate. This MQP has two major contributions. The first is a Red Team analysis of WinKIM, a rootkit detection tool. The analysis shows my attempts to find flaws in WinKIM's ability to detect rootkits. WinKIM monitors a subset of Windows data structures; I show that this set is insufficient to detect all possible rootkits. The second is the enumeration of data structures in the Windows kernel which can be targeted by a rootkit. These structures are those which a detector would have to measure in order to detect any rootkit.
Worcester Polytechnic Institute
Major Qualifying Project
All authors have granted to WPI a nonexclusive royalty-free license to distribute copies of the work, subject to other agreements. Copyright is held by the author or authors, with all rights reserved, unless otherwise noted.
Your accessibility may vary due to other restrictions.