Detecting user-mode rootkits
First Claim
1. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
- determining whether a process that is executing code is hidden;
after determining that the process is hidden, injecting code into malware code executed by the hidden process, the injected code for determining whether a resource is hidden from a process that is executing the malware code;
after injecting the code,launching execution of the malware code as a process; and
during execution of the injected code within the launched process, determining whether a resource is hidden from the launched process by generating a lie list and a truth list of resources and determining that no resource is hidden when the generated lie list and truth list are the same; and
upon determining that no resource is hidden from the launched process, marking the hidden process as a root process.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.
-
Citations
17 Claims
-
1. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
-
determining whether a process that is executing code is hidden; after determining that the process is hidden, injecting code into malware code executed by the hidden process, the injected code for determining whether a resource is hidden from a process that is executing the malware code; after injecting the code, launching execution of the malware code as a process; and during execution of the injected code within the launched process, determining whether a resource is hidden from the launched process by generating a lie list and a truth list of resources and determining that no resource is hidden when the generated lie list and truth list are the same; and upon determining that no resource is hidden from the launched process, marking the hidden process as a root process. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage device containing computer-executable instructions for controlling a computing device to identify a root process of malware without rebooting the computing device by a method comprising:
-
determining whether a process is hidden; after determining that a process is hidden, injecting code into code of the hidden process, the injected code for collecting information to determine whether a resource is hidden when the code executes as a process; launching execution of the code of the hidden process with the injected code; and during execution of the injected code, collecting information to determine whether a resource is hidden from the injected code by generating a lie list and a truth list of resources and determining that no resource is hidden when the generated lie list and truth list are the same; and after determining based on the collected information that no resource is hidden from the injected code, indicating that the hidden process is a root process so that a root process can be identified without having to reboot the computing device. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computing device for identifying a root process of malware comprising:
-
a memory storing an identification of a process that is hidden and storing computer-executable instructions of a component that after the process is identified as a hidden process, injects code into code of the process; a component that launches a hidden process to execute the code along with the injected code; and a component that, during execution of the injected code of the hidden process, collects information to determine whether a resource is hidden from the hidden process, the collected information including a lie list and a truth list of resources wherein no resource is hidden when the lie list and truth list are the same; and a component that, after determining based on the collected information that no resource is hidden from the hidden process, marks that the hidden process is a root process; and a processor for executing the computer-executable instructions stored in the memory. - View Dependent Claims (14, 15, 16, 17)
-
Specification