Discovery of kernel rootkits with memory scan
First Claim
Patent Images
1. A method of detecting kernel level rootkits, comprising:
- scanning a kernel memory using a kernel level detector, the kernel level detector including kernel level code executing in a kernel space; and
comparing the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for detecting kernel level rootkits including scanning a kernel memory using a kernel level detector. The kernel level detector includes kernel level code executing in kernel space. The kernel memory is compared to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
42 Citations
30 Claims
-
1. A method of detecting kernel level rootkits, comprising:
-
scanning a kernel memory using a kernel level detector, the kernel level detector including kernel level code executing in a kernel space; and
comparing the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting kernel level rootkits, comprising:
-
a rootkit signature file corresponding to a rootkit signature; and
a kernel level detector operable to scan a kernel memory and compare the kernel memory to the rootkit signature file to determine if the rootkit signature is present in the kernel memory, the kernel level detector including kernel level code executing in a kernel space. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for detecting kernel level rootkits, comprising:
-
a processor operable to scan a kernel memory using a kernel level detector, the kernel level detector including kernel level code executing in a kernel space; and
the processor further operable to compare the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification