Kernel Malware Core Implementation: A Survey

Kernel Malware resides and performs malicious functions in the operating system kernel space. It is more difficult to be detected and cleared than the malwares implemented in the user space because of its higher authority. It also has better flexibility compared with the malware based on the firmware. As a result, the kernel malware is one of the challenging threats in information security. This paper analyzes the universal working model of the kernel malware and the attack vector, investigates the core implementation technologies. It focuses on the hook, patch and debug-based control flow hijacking and DKOM techniques. Then, the implementation details of these core technologies are analyzed by studying several typical Linux kernel malware. Finally, we summarize the detection methods of kernel malware, point out their main defects, and discuss the new direction of the malware detection.