DETECTING USER-MODE ROOTKITS
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.
44 Citations
40 Claims
-
1-20. -20. (canceled)
-
21. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
-
determining whether a process is hidden; injecting code into code of the hidden process, the injected code for determining whether a resource is hidden from the hidden process; after injecting the code, launching execution of the hidden process; and during execution of the injected code within the hidden process, determining whether a resource is hidden from the hidden process; and upon determining that no resource is hidden from the hidden process, indicating that the hidden process is a root process. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer-readable storage device containing computer-executable instructions for controlling a computing device to identify a root process of malware by a method comprising:
-
determining whether a process is hidden; after determining that a process is hidden, injecting code into code of the hidden process, the injected code for determining whether a resource is hidden from the hidden process; launching execution of the hidden process with the injected code; and during execution of the inject code of the hidden process, determining whether a resource is hidden from the hidden process; and after determining that no resource is hidden from the hidden process, indicating that the hidden process is a root process. - View Dependent Claims (30, 31, 32, 33, 34)
-
-
35. A computing device for identifying a root process of malware comprising:
-
a memory storing an identification of a hidden process and storing computer-executable instructions of a component that injects code into code of the hidden process; a component that launches execution of the hidden process with the injected code; and a component that, during execution of the inject code of the hidden process, determining whether a resource is hidden from the hidden process; and a component that, after determining that no resource is hidden from the hidden process, indicating that the hidden process is a root process; and a processor for executing the computer-executable instructions stored in the memory. - View Dependent Claims (36, 37, 38, 39, 40)
-
Specification