Jonas Pfoh scite author profile

As protection mechanisms become increasingly advanced, so too does the malware that seeks to circumvent them. Protection mechanisms such as secure boot, stack protection, heap protection, W X, and address space layout randomization have raised the bar for system security. In turn, attack mechanisms have become increasingly sophisticated. Starting with simple instruction pointer manipulation aimed at executing shellcode on the stack, we are now seeing sophisticated attacks that combine complex heap exploitation with techniques such as return-oriented programming (ROP). ROP belongs to a family of exploitation techniques called data-only exploitation. This class of exploitation and the malware that is built around it makes use solely of data to manipulate the control flow of software without introducing any code. This advanced form of exploitation circumvents many of the modern protection mechanisms presented above, however it has had, until now, one limitation. Due to the fact that it introduces no code, it is very difficult to achieve any sort of persistence. Placing a function hook is straightforward, but where should this hook point to if the malware introduces no code? There are many challenges that must first be overcome if one wishes to answer this question. In this paper, we present the first persistent data-only malware proof of concept in the form of a persistent rootkit. We also present several methods by which one can achieve persistence beyond our proof of concept. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Leveraging String Kernels for Malware Detection

Pfoh

Schneider

Eckert

2013

View full text Add to dashboard Cite

Exploiting the x86 Architecture to Derive Virtual Machine State Information

Pfoh

Schneider

Eckert

2010

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Jonas Pfoh

Nitro: Hardware-Based System Call Tracing for Virtual Machines

A formal model for virtual machine introspection

Persistent Data-only Malware: Function Hooks without Code

Leveraging String Kernels for Malware Detection

Exploiting the x86 Architecture to Derive Virtual Machine State Information

Contact Info

Product

Resources

About