ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY

US 20170091452A1
Filed: 12/13/2016
Published: 03/30/2017
Est. Priority Date: 09/02/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting memory modifications, comprising:

allocating a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores;

loading instructions for detecting memory modifications into the contiguous block of memory;

disabling the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;

disabling all but one of the plurality of processing cores of the electronic device, the remaining processing core executing the instructions for detecting memory modifications;

scanning the memory of the electronic device for modifications performed by malware, after disabling all but one of the plurality of processing cores and disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;

enabling the one or more of the system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after scanning the memory of the electronic device for modifications; and

enabling the processing cores that were disabled, after scanning the memory of the electronic device for modifications.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications.

Citations

20 Claims

1. A method for detecting memory modifications, comprising:
- allocating a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores;
  
  loading instructions for detecting memory modifications into the contiguous block of memory;
  
  disabling the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;
  
  disabling all but one of the plurality of processing cores of the electronic device, the remaining processing core executing the instructions for detecting memory modifications;
  
  scanning the memory of the electronic device for modifications performed by malware, after disabling all but one of the plurality of processing cores and disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;
  
  enabling the one or more of the system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after scanning the memory of the electronic device for modifications; and
  
  enabling the processing cores that were disabled, after scanning the memory of the electronic device for modifications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein:
    - loading instructions for detecting memory modifications into the contiguous block of memory comprises loading the entirety of the instructions within the contiguous block; and
      
      disabling all but one of the plurality of processing cores of the electronic device, the remaining processing core executing the instructions for detecting memory modifications comprises executing the instructions as resident within the contiguous block.
  - 3. The method of claim 1, further comprising repairing a memory modification detected during scanning the memory of the electronic device for modifications performed by malware, before enabling the one or more system interrupts, user interrupts, or scheduler timer interrupts that were disabled.
  - 4. The method of claim 1, wherein the memory modifications comprise modifications to kernel memory.
  - 5. The method of claim 1, wherein the memory modifications comprise modifications to application memory.
  - 6. The method of claim 1, wherein the contiguous block of memory is allocated in non-pageable memory.
  - 7. The method of claim 1, further comprising, before disabling all but one of the plurality of processing cores of the electronic device, modifying an affinity associated with the loaded instructions to one of the plurality of processing cores of the electronic device, wherein the processing core is the remaining processing core for executing the instructions for detecting memory modifications.
  - 8. The method of claim 1, further comprising:
    - subsequent to disabling the operating system, enabling the operating system to access a system function, the system function used for repair or diagnosis of memory; and
      
      subsequently disabling the operating system after utilizing the system function.
  - 9. The method of claim 1, wherein the processing cores of the electronic device are shut down using an operating system service.
  - 10. The method of claim 1, further comprising:
    - detecting a memory modification during scanning of the memory of the electronic device;
      
      enabling a system resource, wherein the system resource is the one or more disabled processing cores, or the one or more disabled system interrupts, user interrupts, or scheduler timer interrupts;
      
      in response to detecting a memory modification, repairing the memory modification; and
      
      disabling the system resource after repairing the memory modification.

11. An article of manufacture, comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  allocate a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores;
  
  load instructions for detecting memory modifications into the contiguous block of memory;
  
  disable the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;
  
  disable all but one processing cores of the electronic device, the remaining processing core for executing the instructions for detecting memory modifications;
  
  scan the memory of an electronic device for modifications performed by malware, after all but one of the plurality of processing cores is disabled and one or more of system interrupts, user interrupts, or scheduler timer interrupts is disabled;
  
  enable the one or more of system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after the scan of the memory of the electronic device for modifications; and
  
  enable the processing cores that were disabled, after the scan of the memory of the electronic device for modifications.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of claim 11, wherein:
    - the entirety of the instructions for detecting memory modifications are loaded within the contiguous block; and
      
      the instructions for detecting memory modifications that are executed by the remaining processing core are resident within the contiguous block.
  - 13. The article of claim 11, wherein the processing is further caused to repair a memory modification detected during the scan of the memory of the electronic device for modifications performed by malware, before the one or more disabled system interrupts, user interrupts, or scheduler timer interrupts is enabled.
  - 14. The article of claim 11, wherein the memory modifications comprise modifications to kernel memory.
  - 15. The article of claim 11, wherein the memory modifications comprise modifications to application memory.
  - 16. The article of claim 11, wherein the contiguous block of memory is allocated in non-pageable memory.
  - 17. The article of claim 11, wherein the processing is further caused to, before all but one of the plurality of processing cores of the electronic device are disabled, modify an affinity associated with the loaded instructions to one of the plurality of processing cores of the electronic device, wherein the processing core is the remaining processing core for executing the instructions for detecting memory modifications.
  - 18. The article of claim 11, wherein the processing is further caused to:
    - subsequent to disabling the operating system, enable the operating system to access a system function, the system function used for repair or diagnosis of memory; and
      
      subsequently disable the operating system after utilizing the system function.
  - 19. The article of claim 11, wherein the processing cores of the electronic device are caused to be shut down using an operating system service.
  - 20. The article of claim 11, wherein the processing is further caused to:
    - detect a memory modification during the scan of the memory of the electronic device;
      
      enable a system resource, wherein the system resource is the one or more disabled processing cores, or the one or more disabled system interrupts, user interrupts, or scheduler timer interrupts;
      
      in response to detection of a memory modification, repair the memory modification; and
      
      disable the system resource after the memory modification is repaired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said

Granted Patent

US 9,703,957 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 9/442   Shutdown

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links