Abstract: Rootkits are often used by attackers to hide their trails in an infected system, so attackers can lurk in an invaded system for a longer time. Rootkits have become new threats to the security of OS. This paper first presented a summary on rootkit and rootkit detection technologies on Windows. Built on the existing techniques, this paper proposed a new rootkit detection method to detect rootkits based on hidden processes. We designed a detection method based on cross-view,which detects hidden process by comparing process lists attained from OS high-level and low-level respectively. The low-level process list was attained by scanning memory to find kernel object in Windows kernel,which the high-level list is attained using Windows APIs. We implemented a Windows rootkit detecting tool named VITAL to implement the proposed method and used some representative rootkits in experiments to verify the effectiveness of the proposed method.

Key words: Rootkit, Rootkit detection, Hidden process