Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin, Satoshi Tanda

TL;DR
This paper introduces MemoryMonRWX, a hypervisor-based tool that monitors and controls real-time memory access to detect kernel-mode rootkits, offering fine-grained analysis and protection against malware bypassing traditional defenses.
Contribution
The paper presents MemoryMonRWX, a novel hypervisor that guarantees interception of all memory accesses, supporting multi-core CPUs and 64-bit Windows, enhancing kernel memory protection.
Findings
Successfully intercepts all memory access types
Protects kernel memory even when PatchGuard is disabled
Operates with low performance impact
Abstract
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Security and Verification in Computing · Network Security and Intrusion Detection
