MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM
First Claim
1. A malware auto-analysis system using a kernel callback mechanism, comprising:
- a process monitor driver configured to register a first function present in a kernel driver as a first callback function by using a PsSetCreateProcessNotifyRoutine function to receive a process event attributable to creation and/or termination of a process;
a registry monitor driver configured to register a second function present therein as a second callback function by using a CmRegisterCallback function when the registry monitor driver is loaded to receive a registry event;
a file monitor driver configured to register the kernel driver as a minifilter driver in a Filter Manager present in a Windows system to receive a file-related Input/Output (I/O) event; and
a behavior event collector configured to select and store data corresponding to a preset monitoring target process in a preset shared memory region based on at least one of, the process event, the registry event or the I/O event received via a shared memory that can be simultaneously accessed by the kernel driver and an application program.
1 Assignment
0 Petitions
Accused Products
Abstract
In a malware auto-analysis method using a kernel callback mechanism, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, is registered by a process monitor driver as a callback function when a computer boot. A function present in a registry monitor driver is registered by the registry monitor driver as a callback function in a CmRegisterCallback function when the driver is loaded. A kernel driver is registered by a file monitor driver as a mini-filter driver in a Filter Manager present in a Windows system. At least one of a process event, a registry event, or an Input/Output (I/O) event is received by a behavior event collector from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively.
-
Citations
10 Claims
-
1. A malware auto-analysis system using a kernel callback mechanism, comprising:
-
a process monitor driver configured to register a first function present in a kernel driver as a first callback function by using a PsSetCreateProcessNotifyRoutine function to receive a process event attributable to creation and/or termination of a process; a registry monitor driver configured to register a second function present therein as a second callback function by using a CmRegisterCallback function when the registry monitor driver is loaded to receive a registry event; a file monitor driver configured to register the kernel driver as a minifilter driver in a Filter Manager present in a Windows system to receive a file-related Input/Output (I/O) event; and a behavior event collector configured to select and store data corresponding to a preset monitoring target process in a preset shared memory region based on at least one of, the process event, the registry event or the I/O event received via a shared memory that can be simultaneously accessed by the kernel driver and an application program. - View Dependent Claims (2)
-
-
3. A malware auto-analysis method using a kernel callback mechanism, comprising:
-
registering, by a process monitor driver, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, as a callback function when a computer boots; registering, by a registry monitor driver, a function present therein as a callback function in a CmRegisterCallback function when the driver is loaded; registering, by a file monitor driver, a kernel driver as a mini-filter driver in a Filter Manager present in a Windows system; and receiving, by a behavior event collector, at least one of, a process event, a registry event, or an Input/Output (I/O) event from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively. - View Dependent Claims (4, 5)
-
-
6. A computer-assisted method of automatically detecting malware, the method comprising:
-
registering a first callback function in a process kernel manager to receive a process event attributable to creation and/or termination of a process; registering a second callback function in a registry kernel manager to receive a registry event; registering a third callback function in an Input/Output (I/O) kernel manger to receive a file read/write event; and analyzing a newly stored data in a shared memory between a kernel driver and an application program, wherein the newly stored data is collected based on monitoring data that includes at least one of, the process event, the registry event or the file read/write event. - View Dependent Claims (7, 8, 9, 10)
-
Specification