Rootkits are dangerous and hard to detect. A rootkit is malware specifically designed to be stealthy and maintain control of a computer. Existing detection mechanisms are insufficient to reliably detect rootkits, due to fundamental problems with the way they operate. This MQP has two major contributions. The first is a Red Team analysis of WinKIM, a rootkit detection tool. The analysis shows my attempts to find flaws in WinKIM's ability to detect rootkits. WinKIM monitors a subset of Windows data structures; I show that this set is insufficient to detect all possible rootkits. The second is the enumeration of data structures in the Windows kernel which can be targeted by a rootkit. These structures are those which a detector would have to measure in order to detect any rootkit.

• This report represents the work of one or more WPI undergraduate students submitted to the faculty as evidence of completion of a degree requirement. WPI routinely publishes these reports on its website without editorial or peer review.

Creator

• Stepanian, Caleb Martin

Publisher

• Worcester Polytechnic Institute

Identifier

• E-project-102715-205100

Advisor

• Shue, Craig A.

Year

• 2015

Center

• MITRE-Bedford, Massachusetts Project Center - MQP

Sponsor

• MITRE

Date created

• 2015-10-27

Resource type

• Major Qualifying Project

Major

• Computer Science

Rights statement

• In Copyright