Detecting user-mode rootkits

US 20070022287A1
Filed: 07/15/2005
Published: 01/25/2007
Est. Priority Date: 07/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system for determining whether resources are being hidden, the method comprising:

invoking a high-level function of user mode to identify resources;

invoking a low-level function of kernel mode to identify resources; and

when a resource is identified by the low-level function but not identified by the high-level function, indicating that the resource is hidden.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

95 Citations

View as Search Results

20 Claims

1. A method in a computer system for determining whether resources are being hidden, the method comprising:
- invoking a high-level function of user mode to identify resources;
  
  invoking a low-level function of kernel mode to identify resources; and
  
  when a resource is identified by the low-level function but not identified by the high-level function, indicating that the resource is hidden.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the resources are registry entries.
  - 3. The method of claim 2 including indicating that an executable file identified by a hidden registry entry is malware.
  - 4. The method of claim 1 wherein the resources are processes.
  - 5. The method of claim 4 including injecting code into a hidden process, the injected code for determining whether a resource is hidden, and when the injected code indicates that no resource is hidden, indicating that the process is a root process.
  - 6. The method of claim 4 including renaming a shell file to a name of an executable file of a root process and launching the renamed shell file as a process so that malware does not infect the process launched from the renamed shell file.
  - 7. The method of claim 6 including executing security code in a process related to the process launched from the renamed shell file.
  - 8. The method of claim 1 including updating a list of directories that may contain malware based on the hidden resources.
  - 9. The method of claim 8 wherein a hidden directory is added to the list.
  - 10. The method of claim 8 wherein a directory containing an executable file of a hidden process is added to the list.
  - 11. The method of claim 1 including when it is to be determined whether resources are hidden, downloading from a server code for invoking the high-level function and the low-level function.
  - 12. The method of claim 11 wherein the downloaded code is obfuscated to prevent its detection as performing a security function.

13. A computer-readable medium containing instructions for controlling a computer system to perform a security function, by a method comprising:
- determining that an executable file executes as a root process;
  
  renaming a file based on a name of the executable file;
  
  launching the renamed file as a process; and
  
  executing security code in a process related to the launched process.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-readable medium of claim 13 wherein the determining includes identifying a hidden process by invoking a high-level function of user mode and a low-level function of kernel mode to identify processes wherein a hidden process is identified by the low-level function and is not identified by the high-level function.
  - 15. The computer-readable medium of claim 14 including injecting code into the hidden process, the injected code for determining whether a resource is hidden, and when the injected code indicates that no resource is hidden, indicating that the hidden process is a root process.
  - 16. The computer-readable medium of claim 13 wherein when it is to be determined whether a process is a root process, downloading from a server code for invoking the high-level function and the low-level function.
  - 17. The computer-readable medium of claim 16 wherein the downloaded code is obfuscated to prevent its detection as security code.

18. A computer-readable medium containing instructions for controlling a computer system to determine whether a process is hidden, by a method comprising:
- invoking a high-level function of user mode to identify processes;
  
  invoking a low-level function of kernel mode to identify processes;
  
  comparing the processes identified by the high-level function and the low-level function; and
  
  indicating that a process identified by the low-level function and not identified by the high-level function is hidden.
- View Dependent Claims (19, 20)
- - 19. The computer-readable medium of claim 18 including re-invoking the high-level function and the low-level function to help confirm whether a process that was indicated as being hidden was not started after invoking the high-level function and before invoking the low-level function and was not terminated after invoking the low-level function and before invoking the high-level function.
  - 20. The computer-readable medium of claim 18 including injecting code into a hidden process, the injected code for determining whether a resource is hidden, and when the injected code indicates that no resource is hidden, indicating that the hidden process is a root process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wang, Yi-Min, Beck, Douglas

Granted Patent

US 7,874,001 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/145   the attack involving the pr...

Detecting user-mode rootkits

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting user-mode rootkits

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links