Safe memory scanning

US 7,216,367 B2
Filed: 02/21/2003
Issued: 05/08/2007
Est. Priority Date: 02/21/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

preventing an unload of at least one loaded driver from a memory of a computer system;

scanning in kernel mode the at least one loaded driver for viruses; and

permitting the unload of the at least one loaded driver from the memory of the computer system after the scanning is complete.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A kernel mode memory scanning driver for use in safely scanning loaded drivers in the memory of computer systems utilizing Windows® NT based operating systems, such as Windows® 2000, Windows® XP, and other operating systems utilizing the Windows® NT kernel base, for viruses. Prior to scanning the loaded drivers for viruses, the kernel mode memory scanning driver hooks a driver unload function of the operating system, and stalls any calls to the driver unload function to prevent the loaded drivers from being unloaded during scanning. After scanning is complete, any stalled calls to the driver unload function are released. In one embodiment, the kernel mode memory scanning driver is implemented as a Windows® NT 4.0 kernel mode memory scanning driver, and thus can be used on computer systems utilizing Windows® 2000 or Windows® NT without platform specific code.

Citations

30 Claims

1. A method comprising:
- preventing an unload of at least one loaded driver from a memory of a computer system;
  
  scanning in kernel mode the at least one loaded driver for viruses; and
  
  permitting the unload of the at least one loaded driver from the memory of the computer system after the scanning is complete.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the preventing an unload of at least one loaded driver further comprises:
    - hooking a driver unload function of an operating system of the computer system; and
      
      stalling any calls to the driver unload function.
  - 3. The method of claim 2, further comprising:
    - unhooking the driver unload function of the operating system after the scanning is complete.
  - 4. The method of claim 2, wherein the operating system utilizes virtual memory management.
  - 5. The method of claim 2, wherein the operating system is a Windows®
    - NT-based operating system.
  - 6. The method of claim 2, wherein the operating system is a Windows®
    - NT kernel-based operating system.
  - 7. The method of claim 2, wherein the operating system is Windows®
    - NT.
  - 8. The method of claim 2, wherein the operating system is Windows®
    - 2000.
  - 9. The method of claim 2, wherein the operating system is Windows®
    - XP.

10. A method comprising:
- hooking a driver unload function of an operating system;
  
  stalling any calls to the driver unload function;
  
  querying a driver name list from the operating system;
  
  receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses;
  
  scanning the one or more loaded drivers for viruses; and
  
  allowing the any calls to proceed to the driver unload function after the scanning is complete.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the hooking a driver unload function further comprises:
    - redirecting a call to the driver unload function in a hooked system service table utilized by the operating system with a pointer to a replacement function.
  - 12. The method of claim 10, wherein the hooking a driver unload function further comprises:
    - hooking a ZwUnloadDriver() function.
  - 13. The method of claim 10, further comprising:
    - unhooking the driver unload function of the operating system after the scanning is complete.
  - 14. The method of claim 10, wherein the querying a driver name list from the operating system is implemented utilizing a ZwQuerySystemlnformation() function.
  - 15. The method of claim 10, wherein the querying a driver name list from the operating system is implemented utilizing a ZwQueryDirectoryObject() function.
  - 16. The method of claim 10, wherein the scanning the one or more loaded drivers for viruses further comprises:
    - locating a first loaded driver;
      
      scanning the first loaded driver for the viruses;
      
      determining if the first loaded driver is a last loaded driver to be scanned;
      
      if the first loaded driver is not the last loaded driver to be scanned, incrementing to a next loaded driver; and
      
      if the first loaded driver is the last loaded driver to be scanned, returning to the allowing the any calls to proceed to the driver unload function.
  - 17. The method of claim 16, wherein the scanning the first loaded driver for the viruses further comprises:
    - scanning a first section of the first loaded driver for the viruses;
      
      determining if the first section is a last section to be scanned;
      
      if the first section is not the last section to be scanned, incrementing to a next section; and
      
      if the first section is the last section to be scanned, returning to the determining if the first loaded driver is a last loaded driver to be scanned.
  - 18. The method of claim 17, wherein the scanning a first section of the first loaded driver for the viruses further comprises:
    - determining if a first page of the first section is valid;
      
      if the first page is not valid, incrementing to a next page;
      
      if the first page is valid, scanning the first page for the viruses;
      
      determining if the first page is a lastpage to be scanned;
      
      if the first page is not the last page to be scanned, incrementing to the next page; and
      
      if the first page is the last page to be scanned, returning to the determining if the first section is a last section to be scanned.

19. A method comprising:
- hooking a driver unload function of an operating system, wherein the hooking a driver unload function further comprises;
  
  redirecting a call to the driver unload function in a hooked system service table utilized by the operating system with a pointer to a replacement function, wherein the redirecting a call to the driver unload function in a hooked system service table is implemented by modifying an address of a ZwUnloadDriver() function using a KeServiceDescriptorTable pointer;
  
  stalling any calls to the driver unload function;
  
  querying a driver name list from the operating system;
  
  receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses;
  
  scanning the one or more loaded drivers for viruses; and
  
  allowing the any calls to proceed to the driver unload function after the scanning is complete.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein the call to the driver unload function is a call to the ZwUnloadDriver() function, andfurther wherein the KeServiceDescriptorTable pointer redirects the call to the ZwUnloadDriver() function to a HookZwUnloadDriver() function.

21. A computer program product comprising a computerreadable medium containing a kernel mode memory scanning driver for scanning a memory of a computer system for viruses, utilizing an operating system implementing a virtual memory, the kernel mode memory scanning driver comprising:
- a scanning function; and
  
  a replacement function.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer program product of claim 21, wherein the kernel mode memory scanning driver is loaded into a kernel address space of the virtual memory.
  - 23. The computer program product of claim 21, wherein the scanning function scans drivers loaded in the memory of the computer system for the viruses.
  - 24. The computer program product of claim 23, wherein prior to scanning the drivers loaded in the memory for the viruses, a driver unload function of the operating system is hooked so that calls made to the driver unload function are routed to the replacement function and stalled until the scanning is complete.
  - 25. The computer program product of claim 23, wherein the kernel mode memory scanning driver implements a method comprising:
    - preventing an unload of at least one of the drivers loaded in the memory;
      
      scanning in a kernel mode the at least one of the drivers loaded in the memory for the viruses; and
      
      permitting the unload of the at least one of the drivers loaded in the memory after the scanning is complete.

26. A computer system comprising:
- a means for hooking a driver unload function of an operating system;
  
  a means for stalling any calls to the driver unload function;
  
  a means for querying a driver name list from the operating system;
  
  a means for receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses;
  
  a means for scanning the one or more loaded drivers for viruses; and
  
  a means for allowing the any calls to proceed to the driver unload function.
- View Dependent Claims (27)
- - 27. The computer system of claim 26, further comprising:
    - a means for unhooking the driver unload function of the operating system.

28. A computer program product comprising a computer-readable medium containing computer program code for a method comprising:
- preventing an unload of at least one loaded driver from a memory of a computer system;
  
  scanning in a kernel mode the at least one loaded driver for viruses; and
  
  permitting the unload of the at least one loaded driver from the memory of the computer system after the scanning is complete.

29. A computer program product comprising a computer-readable medium containing computer program code for a method comprising:
- hooking a driver unload function of an operating system;
  
  stalling any calls to the driver unload function;
  
  querying a driver name list from the operating system;
  
  receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses;
  
  scanning the one or more loaded drivers for viruses; and
  
  allowing the any calls to proceed to the driver unload function after the scanning is complete.
- View Dependent Claims (30)
- - 30. The computer program product of claim 29, the method further comprising:
    - unhooking the driver unload function of the operating system after the scanning is complete.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Baum; Ronald

Application Number

US10/371,945
Publication Number

US 20040168070A1
Time in Patent Office

1,537 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/564 by virus signature recognition

Safe memory scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Safe memory scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links