Detecting user-mode rootkits

US 8,661,541 B2
Filed: 01/03/2011
Issued: 02/25/2014
Est. Priority Date: 07/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:

determining whether a process that is executing code is hidden;

after determining that the process is hidden, injecting code into malware code executed by the hidden process, the injected code for determining whether a resource is hidden from a process that is executing the malware code;

after injecting the code,launching execution of the malware code as a process; and

during execution of the injected code within the launched process, determining whether a resource is hidden from the launched process by generating a lie list and a truth list of resources and determining that no resource is hidden when the generated lie list and truth list are the same; and

upon determining that no resource is hidden from the launched process, marking the hidden process as a root process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

26 Citations

View as Search Results

17 Claims

1. A method in a computer system with a processor and a memory for determining whether a process being hidden is a root process of malware, a root process being a process of the malware whose access to system resources is not filtered by the malware, the method comprising:
- determining whether a process that is executing code is hidden;
  
  after determining that the process is hidden, injecting code into malware code executed by the hidden process, the injected code for determining whether a resource is hidden from a process that is executing the malware code;
  
  after injecting the code,launching execution of the malware code as a process; and
  
  during execution of the injected code within the launched process, determining whether a resource is hidden from the launched process by generating a lie list and a truth list of resources and determining that no resource is hidden when the generated lie list and truth list are the same; and
  
  upon determining that no resource is hidden from the launched process, marking the hidden process as a root process.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the resources are processes.
  - 3. The method of claim 1 wherein the resources are registry entries.
  - 4. The method of claim 1 wherein the lie list is generated by invoking a high-level function of an operating system and the truth list is generated by invoking a low-level function of the operating system.
  - 5. The method of claim 1 including upon determining that a resource is hidden from the launched process, indicating that the hidden process is not a root process.
  - 6. The method of claim 1 wherein the determining of whether a process is hidden includes generating a lie list of processes by invoking a high-level operating system function, generating a truth list of processes by invoking a low-level operating system function, and identifying process as being hidden when the process is in the truth list but not in the lie list.
  - 7. The method of claim 1 wherein a hidden process has an associated executable file with a name and after indicating that the hidden process is a root process, renaming another executable file to have the same name as the executable file associated with the hidden process so that malware will not hide resources from a process associated with the renamed executable code.

8. A computer-readable storage device containing computer-executable instructions for controlling a computing device to identify a root process of malware without rebooting the computing device by a method comprising:
- determining whether a process is hidden;
  
  after determining that a process is hidden,injecting code into code of the hidden process, the injected code for collecting information to determine whether a resource is hidden when the code executes as a process;
  
  launching execution of the code of the hidden process with the injected code; and
  
  during execution of the injected code, collecting information to determine whether a resource is hidden from the injected code by generating a lie list and a truth list of resources and determining that no resource is hidden when the generated lie list and truth list are the same; and
  
  after determining based on the collected information that no resource is hidden from the injected code, indicating that the hidden process is a root process so that a root process can be identified without having to reboot the computing device.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer-readable storage device of claim 8 wherein the lie list is generated by invoking a high-level function of an operating system and the truth list is generated by invoking a low-level function of the operating system.
  - 10. The computer-readable storage device of claim 8 including after determining that a resource is hidden from the injected code, indicating that the hidden process is not a root process.
  - 11. The computer-readable storage device of claim 8 where the determining of whether a process is hidden includes generating a lie list of processes by invoking a high-level operating system function, generating a truth list of processes by invoking a low-level operating system function, and identifying process as being hidden when the process is in the truth list but not in the lie list.
  - 12. The computer-readable storage device of claim 8 wherein a hidden process has an associated executable file with a name and after indicating that the hidden process is a root process, renaming another executable file to have the same name as the executable file associated with the hidden process so that malware will not hide resources from a process associated with the renamed executable code.

13. A computing device for identifying a root process of malware comprising:
- a memory storing an identification of a process that is hidden and storing computer-executable instructions ofa component that after the process is identified as a hidden process, injects code into code of the process;
  
  a component that launches a hidden process to execute the code along with the injected code; and
  
  a component that, during execution of the injected code of the hidden process, collects information to determine whether a resource is hidden from the hidden process, the collected information including a lie list and a truth list of resources wherein no resource is hidden when the lie list and truth list are the same; and
  
  a component that, after determining based on the collected information that no resource is hidden from the hidden process, marks that the hidden process is a root process; and
  
  a processor for executing the computer-executable instructions stored in the memory.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computing device of claim 13 wherein the lie list is generated by invoking a high-level function of an operating system and the truth list is generated by invoking a low-level function of the operating system.
  - 15. The computing device of claim 13 including a component that, after determining that a resource is hidden from the hidden process, indicates that the hidden process is not a root process.
  - 16. The computing device of claim 13 wherein including a component that determines whether a process is hidden by generating a lie list of processes by invoking a high-level operating system function, generates a truth list of processes by invoking a low-level operating system function, and identifies a process as being hidden when the process is in the truth list but not in the lie list.
  - 17. The computing device of claim 13 wherein a hidden process has an associated executable file with a name and a component that, after indicating that the hidden process is a root process, renames another executable file to have the same name as the executable file associated with the hidden process so that malware will not hide resources from a process associated with the renamed executable code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Beck, Douglas Reed, Wang, Yi-Min
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Johnson, Carlton

Application Number

US12/983,849
Publication Number

US 20110099632A1
Time in Patent Office

1,149 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/145   the attack involving the pr...

Detecting user-mode rootkits

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting user-mode rootkits

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links