MemoryMonRWX: Detect Kernel-Mode Rootkits via Real-Time Logging & Controlling Memory Access

Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

The details of MemoryMonRWX are here:

• paper: paper.pdf, paper.docx
• slides: slides.pdf, slides.pptx
• speech: speech.pdf, speech.docx
• PatchGuard Disabler: source code
• Two more demos from Satoshi: demo#1 and demo#2
• Satoshi Tanda's blog

Congratulations! Enjoyed to work with you

— Satoshi Tanda (@standa_t) May 16, 2017

Korkin, I., & Tanda, S. (2017, May 15-16). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. Paper presented at the Proceedings of the 12th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from commons.erau.edu/adfsl/2017/papers/5/