Rootkit scanning system, method, and computer program product
First Claim
Patent Images
1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address;
identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code;
determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code;
scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits;
restoring the hook from pointing to the detour to pointing to the intended destination of the computer;
determining whether the at least one detour is destined for at least one additional detour; and
traversing the at least one additional detour, based on the determination.
10 Assignments
0 Petitions
Accused Products
Abstract
A rootkit scanning system, method, and computer program product are provided. In use, at least one hook is traversed. Further, code is identified based on the traversal of the at least one hook. In addition, the code is scanned for at least one rootkit.
-
Citations
13 Claims
-
1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
-
traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address; identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code; determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code; scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits; restoring the hook from pointing to the detour to pointing to the intended destination of the computer; determining whether the at least one detour is destined for at least one additional detour; and traversing the at least one additional detour, based on the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method, comprising:
-
traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address; identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code; determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code; scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits; restoring the hook from pointing to the detour to pointing to the intended destination of the computer; determining whether the at least one detour is destined for at least one additional detour; and traversing the at least one additional detour, based on the determination.
-
-
13. A system, comprising:
-
a first module configured for; traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address; identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code; and determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code; a second module in communication with the first module, the second module configured for; scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits; restoring the hook from pointing to the detour to pointing to the intended destination of the computer; determining whether the at least one detour is destined for at least one additional detour; and traversing the at least one additional detour, based on the determination; wherein the first module and the second module are installed on a computer including a processor, and memory in communication via a bus.
-
Specification