Detecting user-mode rootkits
First Claim
1. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
- invoking by the computer system a high-level function of user mode to identify processes;
invoking by the computer system a low-level function of kernel mode to identify processes;
when a process is identified by the low-level function but not identified by the high-level function, indicating that the process is hidden;
injecting code into code of the hidden process, the injected code for determining whether a resource is hidden from the hidden process; and
after injecting the code,launching execution of the hidden process; and
during execution of the injected code within the hidden process,determining whether a resource is hidden from the hidden process; and
upon determining that no resource is hidden from the hidden process, indicating that no resource is hidden; and
when the injected code indicates that no resource is hidden, indicating that the hidden process is a root process.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.
-
Citations
13 Claims
-
1. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
-
invoking by the computer system a high-level function of user mode to identify processes; invoking by the computer system a low-level function of kernel mode to identify processes; when a process is identified by the low-level function but not identified by the high-level function, indicating that the process is hidden; injecting code into code of the hidden process, the injected code for determining whether a resource is hidden from the hidden process; and after injecting the code, launching execution of the hidden process; and during execution of the injected code within the hidden process, determining whether a resource is hidden from the hidden process; and upon determining that no resource is hidden from the hidden process, indicating that no resource is hidden; and when the injected code indicates that no resource is hidden, indicating that the hidden process is a root process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage medium where the medium is not a signal containing instructions for controlling a computer system to perform a security function, by a method comprising:
-
determining that an executable file executes as a root process of malware, a root process being a hidden process of the malware whose access to system resources is not filtered by the malware by; injection code into the hidden process the injected code for determining whether a resource is hidden from the hidden process; launching the execution of the hidden process with the injected code; and during execution of the injected code within the hidden process, determining whether a resource is hidden from the hidden process; and when it is determined that no resource is hidden from the hidden process, indicating that the hidden process is the root process; renaming a file based on a name of the executable file; launching the renamed file as a process so that the malware considers the renamed file to be a root process; and executing security code in a process related to the launched process. - View Dependent Claims (10, 11, 12)
-
-
13. A computer-readable storage medium where the medium is not a signal containing instructions for controlling a computer system to determine whether a process is hidden, by a method comprising:
-
invoking a high-level function of user mode to identify processes; invoking a low-level function of kernel mode to identify processes; comparing the processes identified by the high-level function and the low-level function; indicating that a process identified by the low-level function and not identified by the high-level function is hidden; re-invoking the high-level function and the low-level function to help confirm whether a process that was indicated as being hidden was not started after invoking the high-level function and before invoking the low-level function and was not terminated after invoking the low-level function and before invoking the high-level function; and when the re-invoking indicates that a process is hidden, injecting code into the hidden process, the injected code for determining whether a resource is hidden from the hidden process; launching execution of the hidden process with the injected code; and when the injected code within the hidden process determines that no resource is hidden from the hidden process, indicating the hidden process is a root process.
-
Specification