Generic RootKit detector
First Claim
1. In a computer that includes a memory, a single operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method, which is implemented by the computer, comprising:
- obtaining properties of the first version of the library that was loaded into memory to provide services to the application program;
obtaining properties of the second version of the library that is stored in a protected state on the storage device;
comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of a call address obtained from a component of the single operating system using data from the first version of a library with a value of the call address calculated from an offset value obtained from the second version of the library;
determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and
wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call;
wherein the method further includes using a virtual export table to associate routines in the library with call addresses that identify the respective memory locations of the routines and using an integrity modules to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table.
2 Assignments
0 Petitions
Accused Products
Abstract
A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.
41 Citations
21 Claims
-
1. In a computer that includes a memory, a single operating system that loads a first version of a library into the memory to provide services to an application program, and a storage device that stores a second version of the library in a protected state, a method of determining whether malware is infecting the first version of the library, the method, which is implemented by the computer, comprising:
-
obtaining properties of the first version of the library that was loaded into memory to provide services to the application program; obtaining properties of the second version of the library that is stored in a protected state on the storage device; comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of a call address obtained from a component of the single operating system using data from the first version of a library with a value of the call address calculated from an offset value obtained from the second version of the library; determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call; wherein the method further includes using a virtual export table to associate routines in the library with call addresses that identify the respective memory locations of the routines and using an integrity modules to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable storage medium storing computer-executable instructions which, when executed in a computer that includes a single operating system configured to copy a library into a memory address space available to an application program, carries out a method for determining whether a routine in the library that satisfies an Application Program Interface call is infected with malware, the method comprising:
-
obtaining properties of the first version of the library that was loaded into memory to provide services to the application program; obtaining properties of the second version of the library that is stored in a protected state on the storage device; comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively, wherein comparing the properties of the first version of the library with the properties of the second version of the library includes comparing the value of a call address obtained from a component of the single operating system using data from the first version of a library with a value of the call address calculated from an offset value obtained from the second version of the library; determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call; wherein the method further includes using a virtual export table to associate routines in the library with call addresses that identify the respective memory locations of the routines and using an integrity modules to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A software system, the software system being performed in a computing environment comprising a processor, a memory, and a storage device, for determining whether a computer is infected with a RootKit, the software system comprising:
-
a processor; and memory storing computer-executable instructions which, when executed by the processor, implement a method comprising; obtaining properties of the first version of the library that was loaded into memory to provide services to the application program; obtaining properties of the second version of the library that is stored in a protected state on the storage device; comparing the properties of the first version of the library with the properties of the second version of the library, wherein the properties of the first and the second versions of the library identify particular address locations in memory that are pointed to by the first and the second versions of the library, respectively; determining that the library is infected with malware when the properties of the first and second versions of the library point to different address locations in memory, or determining that the library is not infected with malware when the particular address locations pointed to by the properties of the first and second versions of the library are the same; and wherein the library comprises executable code describing a set of routines accessible by an application program interface to be loaded into the memory to provide services to the application program upon an application program interface call, wherein the system further comprises; a virtual export table operative to associates a routine in the library with a call address that identifies the memory location of the routine; and an integrity module that is configured to calculate a call address of a routine from data in the second version of the library and to store a value of the call address in the virtual export table. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification