DETECTING USER-MODE ROOTKITS

US 20110099632A1
Filed: 01/03/2011
Published: 04/28/2011
Est. Priority Date: 07/15/2005
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

44 Citations

View as Search Results

40 Claims

1-20. -20. (canceled)

21. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
- determining whether a process is hidden;
  
  injecting code into code of the hidden process, the injected code for determining whether a resource is hidden from the hidden process;
  
  after injecting the code,launching execution of the hidden process; and
  
  during execution of the injected code within the hidden process, determining whether a resource is hidden from the hidden process; and
  
  upon determining that no resource is hidden from the hidden process, indicating that the hidden process is a root process.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21 wherein the injected code generates a lie list and a truth list of resources and determines that no resource is hidden when the generated lie list and truth list are the same.
  - 23. The method of claim 22 wherein the resources are processes.
  - 24. The method of claim 22 wherein the resources are registry entries.
  - 25. The method of claim 22 wherein the lie list is generated by invoking a high-level function of an operating system and the truth list is generated by invoking a low-level function of the operating system.
  - 26. The method of claim 21 including upon determining that a resource is hidden from the hidden process, indicating that the hidden process is not a root process.
  - 27. The method of claim 21 wherein the determining of whether a process is hidden includes generating a lie list of processes by invoking a high-level operating system function, generating a truth list of processes by invoking a low-level operating system function, and identifying process as being hidden when the process is in the truth list but not in the lie list.
  - 28. The method of claim 21 wherein a hidden process has an associated executable file with a name and after indicating that the hidden process is a root process, renaming another executable file to have the same name as the executable file associated with the hidden process so that malware will not hide resources from a process associated with the renamed executable code.

29. A computer-readable storage device containing computer-executable instructions for controlling a computing device to identify a root process of malware by a method comprising:
- determining whether a process is hidden;
  
  after determining that a process is hidden,injecting code into code of the hidden process, the injected code for determining whether a resource is hidden from the hidden process;
  
  launching execution of the hidden process with the injected code; and
  
  during execution of the inject code of the hidden process, determining whether a resource is hidden from the hidden process; and
  
  after determining that no resource is hidden from the hidden process, indicating that the hidden process is a root process.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The computer-readable storage device of claim 29 wherein the injected code generates a lie list and a truth list of resources and determines that no resource is hidden when the generated lie list and truth list are the same.
  - 31. The computer-readable storage device of claim 30 wherein the lie list is generated by invoking a high-level function of an operating system and the truth list is generated by invoking a low-level function of the operating system.
  - 32. The computer-readable storage device of claim 29 including after determining that a resource is hidden from the hidden process, indicating that the hidden process is not a root process.
  - 33. The computer-readable storage device of claim 29 where the determining of whether a process is hidden includes generating a lie list of processes by invoking a high-level operating system function, generating a truth list of processes by invoking a low-level operating system function, and identifying process as being hidden when the process is in the truth list but not in the lie list.
  - 34. The computer-readable storage device of claim 29 wherein a hidden process has an associated executable file with a name and after indicating that the hidden process is a root process, renaming another executable file to have the same name as the executable file associated with the hidden process so that malware will not hide resources from a process associated with the renamed executable code.

35. A computing device for identifying a root process of malware comprising:
- a memory storing an identification of a hidden process and storing computer-executable instructions ofa component that injects code into code of the hidden process;
  
  a component that launches execution of the hidden process with the injected code; and
  
  a component that, during execution of the inject code of the hidden process, determining whether a resource is hidden from the hidden process; and
  
  a component that, after determining that no resource is hidden from the hidden process, indicating that the hidden process is a root process; and
  
  a processor for executing the computer-executable instructions stored in the memory.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computing device of claim 35 wherein the injected code generates a lie list and a truth list of resources and determines that no resource is hidden when the generated lie list and truth list are the same.
  - 37. The computing device of claim 36 wherein the lie list is generated by invoking a high-level function of an operating system and the truth list is generated by invoking a low-level function of the operating system.
  - 38. The computing device of claim 35 including a component that, after determining that a resource is hidden from the hidden process, indicates that the hidden process is not a root process.
  - 39. The computing device of claim 35 wherein including a component that determines whether a process is hidden by generating a lie list of processes by invoking a high-level operating system function, generates a truth list of processes by invoking a low-level operating system function, and identifies a process as being hidden when the process is in the truth list but not in the lie list.
  - 40. The computing device of claim 35 wherein a hidden process has an associated executable file with a name and a component that, after indicating that the hidden process is a root process, renames another executable file to have the same name as the executable file associated with the hidden process so that malware will not hide resources from a process associated with the renamed executable code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Beck, Douglas Reed, Wang, Yi-Min

Granted Patent

US 8,661,541 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/145   the attack involving the pr...

DETECTING USER-MODE ROOTKITS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING USER-MODE ROOTKITS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links