Analyzing Detection Avoidance of Malware by Process Hiding

Abstract

The fact that any program to be executed must be loaded in random access memory makes it forensically critical and target-rich search location for evidence. Digital forensic investigation is incomplete without analyzing the physical memory. Random access memory holds the insights of a running system which constitutes the plethora of information some of which is unique to it. Among other information, random access memory holds running processes and process related information maintained in well-defined data structures. The threads spawned by specific processes also reside in this memory. With the advancement in cyber-attacks, malware tends to be memory resident that is hidden from the operating system to avoid detection via security or forensic tools. Both the user space and kernel space is exploited by hidden. This paper is focused towards analyzing the techniques used by rootkits to hide their processes in the memory achieved via hooking and Direct Kernel Object Manipulation (DKOM), the working of a rootkit and its detection. Having the active malicious processes hidden leads to incorrect results of the forensic investigation, rendering it unacceptable before court of law.