ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY
First Claim
1. A method for detecting memory modifications, comprising:
- allocating a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores;
loading instructions for detecting memory modifications into the contiguous block of memory;
disabling the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;
disabling all but one of the plurality of processing cores of the electronic device, the remaining processing core executing the instructions for detecting memory modifications;
scanning the memory of the electronic device for modifications performed by malware, after disabling all but one of the plurality of processing cores and disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts;
enabling the one or more of the system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after scanning the memory of the electronic device for modifications; and
enabling the processing cores that were disabled, after scanning the memory of the electronic device for modifications.
10 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications.
-
Citations
20 Claims
-
1. A method for detecting memory modifications, comprising:
-
allocating a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores; loading instructions for detecting memory modifications into the contiguous block of memory; disabling the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts; disabling all but one of the plurality of processing cores of the electronic device, the remaining processing core executing the instructions for detecting memory modifications; scanning the memory of the electronic device for modifications performed by malware, after disabling all but one of the plurality of processing cores and disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts; enabling the one or more of the system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after scanning the memory of the electronic device for modifications; and enabling the processing cores that were disabled, after scanning the memory of the electronic device for modifications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article of manufacture, comprising:
-
a non-transitory computer readable medium; and computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; allocate a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores; load instructions for detecting memory modifications into the contiguous block of memory; disable the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts; disable all but one processing cores of the electronic device, the remaining processing core for executing the instructions for detecting memory modifications; scan the memory of an electronic device for modifications performed by malware, after all but one of the plurality of processing cores is disabled and one or more of system interrupts, user interrupts, or scheduler timer interrupts is disabled; enable the one or more of system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after the scan of the memory of the electronic device for modifications; and enable the processing cores that were disabled, after the scan of the memory of the electronic device for modifications. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification