Safe memory scanning
First Claim
1. A method comprising:
- preventing an unload of at least one loaded driver from a memory of a computer system;
scanning in kernel mode the at least one loaded driver for viruses; and
permitting the unload of the at least one loaded driver from the memory of the computer system after the scanning is complete.
2 Assignments
0 Petitions
Accused Products
Abstract
A kernel mode memory scanning driver for use in safely scanning loaded drivers in the memory of computer systems utilizing Windows® NT based operating systems, such as Windows® 2000, Windows® XP, and other operating systems utilizing the Windows® NT kernel base, for viruses. Prior to scanning the loaded drivers for viruses, the kernel mode memory scanning driver hooks a driver unload function of the operating system, and stalls any calls to the driver unload function to prevent the loaded drivers from being unloaded during scanning. After scanning is complete, any stalled calls to the driver unload function are released. In one embodiment, the kernel mode memory scanning driver is implemented as a Windows® NT 4.0 kernel mode memory scanning driver, and thus can be used on computer systems utilizing Windows® 2000 or Windows® NT without platform specific code.
-
Citations
30 Claims
-
1. A method comprising:
-
preventing an unload of at least one loaded driver from a memory of a computer system; scanning in kernel mode the at least one loaded driver for viruses; and permitting the unload of the at least one loaded driver from the memory of the computer system after the scanning is complete. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
hooking a driver unload function of an operating system; stalling any calls to the driver unload function; querying a driver name list from the operating system; receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses; scanning the one or more loaded drivers for viruses; and allowing the any calls to proceed to the driver unload function after the scanning is complete. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method comprising:
-
hooking a driver unload function of an operating system, wherein the hooking a driver unload function further comprises; redirecting a call to the driver unload function in a hooked system service table utilized by the operating system with a pointer to a replacement function, wherein the redirecting a call to the driver unload function in a hooked system service table is implemented by modifying an address of a ZwUnloadDriver() function using a KeServiceDescriptorTable pointer; stalling any calls to the driver unload function; querying a driver name list from the operating system; receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses; scanning the one or more loaded drivers for viruses; and allowing the any calls to proceed to the driver unload function after the scanning is complete. - View Dependent Claims (20)
-
-
21. A computer program product comprising a computerreadable medium containing a kernel mode memory scanning driver for scanning a memory of a computer system for viruses, utilizing an operating system implementing a virtual memory, the kernel mode memory scanning driver comprising:
-
a scanning function; and a replacement function. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A computer system comprising:
-
a means for hooking a driver unload function of an operating system; a means for stalling any calls to the driver unload function; a means for querying a driver name list from the operating system; a means for receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses; a means for scanning the one or more loaded drivers for viruses; and a means for allowing the any calls to proceed to the driver unload function. - View Dependent Claims (27)
-
-
28. A computer program product comprising a computer-readable medium containing computer program code for a method comprising:
-
preventing an unload of at least one loaded driver from a memory of a computer system; scanning in a kernel mode the at least one loaded driver for viruses; and permitting the unload of the at least one loaded driver from the memory of the computer system after the scanning is complete.
-
-
29. A computer program product comprising a computer-readable medium containing computer program code for a method comprising:
-
hooking a driver unload function of an operating system; stalling any calls to the driver unload function; querying a driver name list from the operating system; receiving the driver name list, the driver name list identifying one or more loaded drivers and corresponding load addresses; scanning the one or more loaded drivers for viruses; and allowing the any calls to proceed to the driver unload function after the scanning is complete. - View Dependent Claims (30)
-
Specification