×

MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM

  • US 20120079594A1
  • Filed: 11/09/2010
  • Published: 03/29/2012
  • Est. Priority Date: 09/27/2010
  • Status: Abandoned Application
First Claim
Patent Images

1. A malware auto-analysis system using a kernel callback mechanism, comprising:

  • a process monitor driver configured to register a first function present in a kernel driver as a first callback function by using a PsSetCreateProcessNotifyRoutine function to receive a process event attributable to creation and/or termination of a process;

    a registry monitor driver configured to register a second function present therein as a second callback function by using a CmRegisterCallback function when the registry monitor driver is loaded to receive a registry event;

    a file monitor driver configured to register the kernel driver as a minifilter driver in a Filter Manager present in a Windows system to receive a file-related Input/Output (I/O) event; and

    a behavior event collector configured to select and store data corresponding to a preset monitoring target process in a preset shared memory region based on at least one of, the process event, the registry event or the I/O event received via a shared memory that can be simultaneously accessed by the kernel driver and an application program.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×