In order to protect the integrity of operating system kernel files,a method of active protection of kernel data was proposed based on hardware-assisted virtualization.The method recognizes the key points of some registers,code pointers, and function codes,which are often attacked by malicious codes,and maps these points into a protection table,and then it can avoid kernel modification through R/W bit of PTE.At the same time,single step execution is used to legally write data in protected points,and events injection keeps the compatibility of operation system.In addition,continuous pages in the protection table are merged to reduce the size of the protection table and improve the efficiency.Finally,based on this method,a prototype system,called HV_KDAP,was designed and implemented.HV_KDAP can detect 9 kinds of Rootkits,which contain popular techniques in Rootkit,and its overhead is about 12.7%.Moreover,HV_KDAP can also detect the attacking of local privilege escalation exploiting,and be applied to the kernel forensics.
