Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
The KOP Project

The KOP (Kernel Object Pinpointer) project includes a series of efforts for developing a set of technologies and tools for precisely identifying types and relations of dynamic data in native programs and leveraging the rich type information for better memory analysis and debugging.  KOP is currently serving as the backend kernel rootkit analysis tool for Microsoft Forefront.

KOP

KOP was the first system developed in the KOP project.  KOP addressed the key challenges in mapping kernel objects in a memory snapshot, namely traversing generic pointers (e.g., void *), by performing a precise pointer analysis to identify candidate types for such pointers.  KOP also resolves type ambuities caused by unions or generic pointers with multiple candidate types.  Given a kernel memory snapshot, KOP was able to accurately map 99% of kernel dynamic data.  You can find our ACM CCS'09 paper here.

Publications

Tech Transfers

KOP is deployed to Fesmon, the backend malware analysis platform for products such as Microsoft Security Essentials and Forefront. KOP replaces the previous technology with a superset of features, monitoring and derived datapoints (Microsoft-internal wiki page). KOP is the only kernel rootkit analysis tool used by Fesmon. Fesmon is a Microsoft internal product developed, designed and maintained by MMPC.  Currently we are in the middle of porting KOP to the core malware scanning engine in Forefront.