Rootkit scanning system, method, and computer program product

US 8,370,941 B1
Filed: 05/06/2008
Issued: 02/05/2013
Est. Priority Date: 05/06/2008
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:

traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address;

identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code;

determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code;

scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits;

restoring the hook from pointing to the detour to pointing to the intended destination of the computer;

determining whether the at least one detour is destined for at least one additional detour; and

traversing the at least one additional detour, based on the determination.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rootkit scanning system, method, and computer program product are provided. In use, at least one hook is traversed. Further, code is identified based on the traversal of the at least one hook. In addition, the code is scanned for at least one rootkit.

Citations

13 Claims

1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address;
  
  identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code;
  
  determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code;
  
  scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits;
  
  restoring the hook from pointing to the detour to pointing to the intended destination of the computer;
  
  determining whether the at least one detour is destined for at least one additional detour; and
  
  traversing the at least one additional detour, based on the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product of claim 1, wherein the intended destination includes a kernel space or a user space.
  - 3. The computer program product of claim 1, wherein the identified code is identified by following code to which the at least one detour points.
  - 4. The computer program product of claim 1, wherein the traversing and the identifying occurs in kernel space or user space.
  - 5. The computer program product of claim 1, wherein the scanning occurs in kernel space or user space.
  - 6. The computer program product of claim 1, wherein the code includes one of driver code, dynamic link library code, a system service, a function, an application programming interface (API), a library, a process, a file on disk, and a registry.
  - 7. The computer program product of claim 1, wherein the code is in memory.
  - 8. The computer program product of claim 1, and further comprising computer code for reacting, based on the scanning.
  - 9. The computer program product of claim 8, wherein the reacting includes preventing the code from further executing.
  - 10. The computer program product of claim 8, wherein the reacting includes deleting the code.
  - 11. The computer program product of claim 10, wherein a file including the code is flagged for being deleted in response to a reboot event.

12. A method, comprising:
- traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address;
  
  identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code;
  
  determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code;
  
  scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits;
  
  restoring the hook from pointing to the detour to pointing to the intended destination of the computer;
  
  determining whether the at least one detour is destined for at least one additional detour; and
  
  traversing the at least one additional detour, based on the determination.

13. A system, comprising:
- a first module configured for;
  
  traversing a chain of hooks, the chain of hooks including a plurality of hooks in which a succeeding hook is called by a previous hook in the chain, each hook having an associated calling address;
  
  identifying code, based on the traversal of the chain of hooks, by identifying that the calling address is associated with the code; and
  
  determining that the chain of hooks is associated with at least one detour, which involves a redirection from an intended destination of a computer to a different location that points to the code;
  
  a second module in communication with the first module, the second module configured for;
  
  scanning the code identified by the traversing of the chain of hooks for at least one rootkit, which includes malicious code, wherein the scanning includes a comparison activity associated with a plurality of signatures associated with a plurality of rootkits;
  
  restoring the hook from pointing to the detour to pointing to the intended destination of the computer;
  
  determining whether the at least one detour is destined for at least one additional detour; and
  
  traversing the at least one additional detour, based on the determination;
  
  wherein the first module and the second module are installed on a computer including a processor, and memory in communication via a bus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Kapoor, Aditya, Mathur, Rachit, Pham, Khai N., Ramachetty, Harinath V.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US12/116,063
Time in Patent Office

1,736 Days
Field of Search

726 22- 26, 726/5, 714/38, 709/201, 709/224
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

Rootkit scanning system, method, and computer program product

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Rootkit scanning system, method, and computer program product

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links