System, method, and computer program product for determining whether a hook is associated with potentially unwanted activity
First Claim
Patent Images
1. A method, comprising:
- identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section;
performing a first enumeration associated with the data section or the code section to identify an object associated the hook;
overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object;
performing a second enumeration of the restored object within the data section or the code section;
determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and
reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects.
10 Assignments
0 Petitions
Accused Products
Abstract
A system, method, and computer program product are provided for determining whether a hook is associated with potentially unwanted activity. In use, a hook is identified in a data section or a code section. Additionally, a first enumeration of objects associated with the data section or the code section is performed, and a second enumeration of objects associated with the data section or the code section is performed. Further, results of the first enumeration and results of the second enumeration are compared for determining whether the hook is associated with potentially unwanted activity.
22 Citations
16 Claims
-
1. A method, comprising:
-
identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section; performing a first enumeration associated with the data section or the code section to identify an object associated the hook; overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object; performing a second enumeration of the restored object within the data section or the code section; determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
-
identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section; performing a first enumeration associated with the data section or the code section to identify an object associated the hook; overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object; performing a second enumeration of the restored object within the data section or the code section; determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects.
-
-
15. A system, comprising:
- a processor, the system being configured for;
identifying a hook in a data section or a code section of a computer, wherein identifying the hook further comprises comparing at least one of the data section to a previous version of the data section, and the code section to a previous version of the code section, and wherein when the hook is in the data section the previous version of the data section is identified by parsing sections in a binary file, and when the hook is in the code section the previous version of the code section is identified in a stored file image of the code section; performing a first enumeration associated with the data section or the code section to identify an object associated the hook; overwriting the object associated with the hook with an original version of the object from a clean source to produce a restored object; performing a second enumeration of the restored object within the data section or the code section; determining whether the hook is associated with a rootkit by comparing first resulting objects from the first enumeration to second resulting objects from the second enumeration and determining whether the hook functions to hide any of the first resulting objects or the second resulting objects based upon the comparison; and reporting the hook as a rootkit if it is determined that the hook functions to hide any of the first resulting objects or the second resulting objects. - View Dependent Claims (16)
- a processor, the system being configured for;
Specification