System, method, and computer program product for determining whether a hook is associated with potentially unwanted activity

US 8,458,794 B1
Filed: 09/06/2007
Issued: 06/04/2013
Est. Priority Date: 09/06/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section;

performing a first enumeration associated with the data section or the code section to identify an object associated the hook;

overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object;

performing a second enumeration of the restored object within the data section or the code section;

determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and

reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for determining whether a hook is associated with potentially unwanted activity. In use, a hook is identified in a data section or a code section. Additionally, a first enumeration of objects associated with the data section or the code section is performed, and a second enumeration of objects associated with the data section or the code section is performed. Further, results of the first enumeration and results of the second enumeration are compared for determining whether the hook is associated with potentially unwanted activity.

22 Citations

View as Search Results

16 Claims

1. A method, comprising:
- identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section;
  
  performing a first enumeration associated with the data section or the code section to identify an object associated the hook;
  
  overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object;
  
  performing a second enumeration of the restored object within the data section or the code section;
  
  determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and
  
  reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the hook includes a memory hook.
  - 3. The method of claim 1, wherein the hook is in the data section, and includes a modification to a function pointer in the data section.
  - 4. The method of claim 1, wherein the hook is in the code section, and includes a modification to a function in the code section.
  - 5. The method of claim 1, wherein the hook is in the data section, and the data section is included in application memory.
  - 6. The method of claim 1, wherein the hook is in the code section, and the code section is included in a kernel of an operating system.
  - 7. The method of claim 1, wherein the hook is identified by scanning at least one of the data section and the code section.
  - 8. The method of claim 1, wherein the hook is in the data section, and the previous version of the data section is identified by locating known function pointers located outside of a main module.
  - 9. The method of claim 1, wherein the first enumeration is affected by the hook.
  - 10. The method of claim 1, wherein the first enumeration is performed with the hook in the data section or the code section.
  - 11. The method of claim 1, wherein the second enumeration is performed with the hook removed from the data section or the code section.
  - 12. The method of claim 1, wherein the rootkit is identified if results of the first enumeration do not match results of the second enumeration.
  - 13. The method of claim 1, further comprising automatically repairing the data section or the code section.

14. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section;
  
  performing a first enumeration associated with the data section or the code section to identify an object associated the hook;
  
  overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object;
  
  performing a second enumeration of the restored object within the data section or the code section;
  
  determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and
  
  reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects.

15. A system, comprising:
- a processor, the system being configured for;
  
  identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section;
  
  performing a first enumeration associated with the data section or the code section to identify an object associated the hook;
  
  overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object;
  
  performing a second enumeration of the restored object within the data section or the code section;
  
  determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and
  
  reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects.
- View Dependent Claims (16)
- - 16. The system of claim 15, wherein the processor is coupled to memory via a bus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Hailu, Teshome

Application Number

US11/851,308
Time in Patent Office

2,098 Days
Field of Search

726/23, 726/24, 726/22, 726/25
US Class Current

726/23
CPC Class Codes

G06F 21/565 by checking file integrity

System, method, and computer program product for determining whether a hook is associated with potentially unwanted activity

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for determining whether a hook is associated with potentially unwanted activity

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links