The KOP (Kernel Object Pinpointer) project includes a series of efforts for developing a set of technologies and tools for precisely identifying types and relations of dynamic data in native programs and leveraging the rich type information for better memory analysis and debugging. KOP is currently serving as the backend kernel rootkit analysis tool for Microsoft Forefront.
- Microsoft-Internal Project Page (more information for ongoing projects)
- KOP: Mapping Kernel Objects to Enable Systematic Integrity Checking
- Tech Transfers
KOP was the first system developed in the KOP project. KOP addressed the key challenges in mapping kernel objects in a memory snapshot, namely traversing generic pointers (e.g., void *), by performing a precise pointer analysis to identify candidate types for such pointers. KOP also resolves type ambuities caused by unions or generic pointers with multiple candidate types. Given a kernel memory snapshot, KOP was able to accurately map 99% of kernel dynamic data. You can find our ACM CCS'09 paper here.
- Weidong Cui, Marcus Peinado, Zhilei Xu, and Ellick Chan, Tracking Rootkit Footprints with a Practical Memory Analysis System, in Proceedings of the 21st USENIX Security Symposium, USENIX, August 2012.
- Martim Carbone, Weidong Cui, Long Lu, Wenke Lee, Marcus Peinado, and Xuxian Jiang, Mapping Kernel Objects to Enable Systematic Integrity Checking, in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Association for Computing Machinery, Inc., 9 November 2009.
KOP is deployed to Fesmon, the backend malware analysis platform for products such as Microsoft Security Essentials and Forefront. KOP replaces the previous technology with a superset of features, monitoring and derived datapoints (Microsoft-internal wiki page). KOP is the only kernel rootkit analysis tool used by Fesmon. Fesmon is a Microsoft internal product developed, designed and maintained by MMPC. Currently we are in the middle of porting KOP to the core malware scanning engine in Forefront.