OPKH: A lightweight online approach to protecting kernel hooks in kernel modules

Kernel hooks are very important control data in OS kernel. Once these data are compromised by attackers, they can change the control flow of OS kernel's execution. Previous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel modules whose memory locations cannot be predetermined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH offers the protected OS a fully transparent environment and an easy deployment. In general, the working procedure of OPKH can be divided into two steps. First, we utilise the memory virtualization for offline profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to instrument the hooks for runtime protection. The experiments show that our system can protect the dynamic hooks effectively with minimal performance overhead.