Method and apparatus to detect kernel mode rootkit events through virtualization traps
First Claim
Patent Images
1. A method of comprising:
- detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and
analyzing the virtualization trap to detect the presence of the rootkit in the computing system,wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the virtual machine monitor.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting a rootkit in a computing system may be achieved by detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system. Action may then be taken to block the rootkit activity to safeguard the computing system.
60 Citations
27 Claims
-
1. A method of comprising:
-
detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system, wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the virtual machine monitor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article comprising:
- a storage device to store instructions, which when executed by a processor, result in
detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing System, wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the virtual machine monitor. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- a storage device to store instructions, which when executed by a processor, result in
-
21. A computing system comprising:
-
a virtual machine monitor adapted to detect a virtualization trap occurring as a result of an action by a rootkit, to receive a registration for notification of occurrence of selected virtualization traps, and to send information relating to the virtualization trap when the virtualization trap matches the registration; and an anti-rootkit security monitor adapted to register to be notified of the occurrence of selection virtualization traps, to receive the trap information, and to analyze the trap information to detect the presence of the rootkit in the computing system, wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the anti-rootkit security monitor. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
Specification