MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM

US 20120079594A1
Filed: 11/09/2010
Published: 03/29/2012
Est. Priority Date: 09/27/2010
Status: Abandoned Application

First Claim

Patent Images

1. A malware auto-analysis system using a kernel callback mechanism, comprising:

a process monitor driver configured to register a first function present in a kernel driver as a first callback function by using a PsSetCreateProcessNotifyRoutine function to receive a process event attributable to creation and/or termination of a process;

a registry monitor driver configured to register a second function present therein as a second callback function by using a CmRegisterCallback function when the registry monitor driver is loaded to receive a registry event;

a file monitor driver configured to register the kernel driver as a minifilter driver in a Filter Manager present in a Windows system to receive a file-related Input/Output (I/O) event; and

a behavior event collector configured to select and store data corresponding to a preset monitoring target process in a preset shared memory region based on at least one of, the process event, the registry event or the I/O event received via a shared memory that can be simultaneously accessed by the kernel driver and an application program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a malware auto-analysis method using a kernel callback mechanism, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, is registered by a process monitor driver as a callback function when a computer boot. A function present in a registry monitor driver is registered by the registry monitor driver as a callback function in a CmRegisterCallback function when the driver is loaded. A kernel driver is registered by a file monitor driver as a mini-filter driver in a Filter Manager present in a Windows system. At least one of a process event, a registry event, or an Input/Output (I/O) event is received by a behavior event collector from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively.

Citations

10 Claims

1. A malware auto-analysis system using a kernel callback mechanism, comprising:
- a process monitor driver configured to register a first function present in a kernel driver as a first callback function by using a PsSetCreateProcessNotifyRoutine function to receive a process event attributable to creation and/or termination of a process;
  
  a registry monitor driver configured to register a second function present therein as a second callback function by using a CmRegisterCallback function when the registry monitor driver is loaded to receive a registry event;
  
  a file monitor driver configured to register the kernel driver as a minifilter driver in a Filter Manager present in a Windows system to receive a file-related Input/Output (I/O) event; and
  
  a behavior event collector configured to select and store data corresponding to a preset monitoring target process in a preset shared memory region based on at least one of, the process event, the registry event or the I/O event received via a shared memory that can be simultaneously accessed by the kernel driver and an application program.
- View Dependent Claims (2)
- - 2. The malware auto-analysis system according to claim 1, whereinthe behavior event collector periodically accesses the shared memory region at preset periods and determines whether newly stored data is present in the shared memory region, andif it is determined that the newly stored data is present in the shared memory region, the behavior event collector reads monitoring data, which includes at least one of, the process event, the registry event, or the I/O event, from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively.

3. A malware auto-analysis method using a kernel callback mechanism, comprising:
- registering, by a process monitor driver, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, as a callback function when a computer boots;
  
  registering, by a registry monitor driver, a function present therein as a callback function in a CmRegisterCallback function when the driver is loaded;
  
  registering, by a file monitor driver, a kernel driver as a mini-filter driver in a Filter Manager present in a Windows system; and
  
  receiving, by a behavior event collector, at least one of, a process event, a registry event, or an Input/Output (I/O) event from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively.
- View Dependent Claims (4, 5)
- - 4. The malware auto-analysis method according to claim 3, further comprising,selecting, by the behavior event collector, data corresponding to a preset monitoring target process from the at least one of, the process event, the registry event, or the I/O event which forms monitoring data, and storing the selected data in a preset shared memory region.
  - 5. The malware auto-analysis method according to claim 4, further comprising:
    - collector periodically accessing, by the behavior event collector, the shared memory region at preset periods to determine whether newly stored data is present in the shared memory region, and proceeding to the receiving step in which the monitoring data is read from each of the process monitor driver, the registry monitor driver, or the file monitor driver if the newly stored data is determined to be present in the shared memory region.

6. A computer-assisted method of automatically detecting malware, the method comprising:
- registering a first callback function in a process kernel manager to receive a process event attributable to creation and/or termination of a process;
  
  registering a second callback function in a registry kernel manager to receive a registry event;
  
  registering a third callback function in an Input/Output (I/O) kernel manger to receive a file read/write event; and
  
  analyzing a newly stored data in a shared memory between a kernel driver and an application program, wherein the newly stored data is collected based on monitoring data that includes at least one of, the process event, the registry event or the file read/write event.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method according to claim 6, wherein the newly stored data corresponds to a preset monitoring target process.
  - 8. The method according to claim 6, wherein the process kernel manager uses a PsSetCreateProcessNotifyRoutine function.
  - 9. The method according to claim 6, wherein the registry kernel manager uses a CmRegisterCallback function.
  - 10. The method according to claim 6, wherein the I/O kernel manager uses the kernel driver by registering the kernel driver as a mini-filter driver in a Filter Manager present in a Windows system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Korea Internet & Security Agency
Original Assignee
Korea Internet & Security Agency
Inventors
Im, Chae Tae, Oh, Joo Hyung, JEONG, HYUN CHEOL

Application Number

US12/942,700
Publication Number

US 20120079594A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links