Discovery of kernel rootkits with memory scan
First Claim
Patent Images
1. A method of detecting kernel level rootkits, comprising:
- hooking a kernel level detector into loading procedures of an operating system of a processor;
in response to detecting a particular event comprising the installation of a new device driver by the operating system, using the kernel level detector to scan, with the processor, a kernel memory, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space; and
comparing, with the processor, the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for detecting kernel level rootkits including scanning a kernel memory using a kernel level detector. The kernel level detector includes kernel level code executing in kernel space. The kernel memory is compared to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
25 Citations
41 Claims
-
1. A method of detecting kernel level rootkits, comprising:
-
hooking a kernel level detector into loading procedures of an operating system of a processor; in response to detecting a particular event comprising the installation of a new device driver by the operating system, using the kernel level detector to scan, with the processor, a kernel memory, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space; and comparing, with the processor, the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 31, 34)
-
-
11. A system for detecting kernel level rootkits, comprising:
-
a non-transitory computer readable storage medium operable to store a rootkit signature file corresponding to a rootkit signature; and a processor operable to hook a kernel level detector into loading procedures of an operating system of the processor and scan a kernel memory with the kernel level detector in response to detecting a particular event comprising installation of a new device driver by the operating system, the kernel level detector operable to compare the kernel memory to the rootkit signature file to determine if the rootkit signature is present in the kernel memory, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 32)
-
-
21. A system for detecting kernel level rootkits, comprising:
-
a hardware microprocessor operable to hook a kernel level detector into loading procedures of an operating system of the hardware microprocessor and scan a kernel memory using the kernel level detector in response to detecting a particular event comprising an installation of a new device driver by the operating system, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space; and the hardware microprocessor further operable to compare the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 33)
-
-
35. A method of detecting kernel level rootkits, comprising:
-
receiving a request from a user space process operating in a user space, the request requesting information from a kernel space process operating in a kernel space; using a kernel level detector comprising a processor residing in the kernel space to independently compile a list of the information requested by the user space process; comparing, by the kernel level detector comprising the processor, the independently compiled list with a list generated by a kernel level process; and detecting one or more hidden processes on the independently compiled list that is not on the list generated by the kernel level process, the one or more hidden processes indicating a presence of a rootkit in the kernel level process. - View Dependent Claims (36, 37, 38, 39, 40)
-
-
41. A system for detecting kernel level rootkits, comprising:
-
a non-transitory computer readable storage medium operable to store executable code for detecting kernel level rootkits; and a processor operable, when executing the executable code, to; receive a request from a user space process operating in a user space, the request requesting information from a kernel space process operating in a kernel space; use a kernel level detector comprising a processor residing in the kernel space to independently compile a list of the information requested by the user space process; compare, by the kernel level detector comprising the processor, the independently compiled list with a list generated by a kernel level process; and detect one or more hidden processes on the independently compiled list that is not on the list generated by the kernel level process, the one or more hidden processes indicating a presence of a rootkit in the kernel level process.
-
Specification