Detecting user-mode rootkits
First Claim
1. A method in a computer system for determining whether resources are being hidden, the method comprising:
- invoking a high-level function of user mode to identify resources;
invoking a low-level function of kernel mode to identify resources; and
when a resource is identified by the low-level function but not identified by the high-level function, indicating that the resource is hidden.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.
95 Citations
20 Claims
-
1. A method in a computer system for determining whether resources are being hidden, the method comprising:
-
invoking a high-level function of user mode to identify resources;
invoking a low-level function of kernel mode to identify resources; and
when a resource is identified by the low-level function but not identified by the high-level function, indicating that the resource is hidden. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-readable medium containing instructions for controlling a computer system to perform a security function, by a method comprising:
-
determining that an executable file executes as a root process;
renaming a file based on a name of the executable file;
launching the renamed file as a process; and
executing security code in a process related to the launched process. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer-readable medium containing instructions for controlling a computer system to determine whether a process is hidden, by a method comprising:
-
invoking a high-level function of user mode to identify processes;
invoking a low-level function of kernel mode to identify processes;
comparing the processes identified by the high-level function and the low-level function; and
indicating that a process identified by the low-level function and not identified by the high-level function is hidden. - View Dependent Claims (19, 20)
-
Specification