Method and apparatus to detect kernel mode rootkit events through virtualization traps
First Claim
Patent Images
1. A method of comprising:
- detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and
analyzing the virtualization trap to detect the presence of the rootkit in the computing system.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting a rootkit in a computing system may be achieved by detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system. Action may then be taken to block the rootkit activity to safeguard the computing system.
113 Citations
30 Claims
-
1. A method of comprising:
-
detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An article comprising:
- a tangible machine accessible medium containing instructions, which when executed by a processor, result in
detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- a tangible machine accessible medium containing instructions, which when executed by a processor, result in
-
23. A computing system comprising:
-
a virtual machine monitor adapted to detect a virtualization trap occurring as a result of an action by a rootkit, to receive a registration for notification of occurrence of selected virtualization traps, and to send information relating to the virtualization trap when the virtualization trap matches the registration; and an anti-rootkit security monitor adapted to register to be notified of the occurrence of selection virtualization traps, to receive the trap information, and to analyze the trap information to detect the presence of the rootkit in the computing system. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification