| 摘要 |
<p>A method of detecting malware such as Rootkits within program code using a malware scanner comprises providing a first version of information relating to the program code to the scanner, causing a second version of the same information to be provided to the malware scanner by injecting code into a third party process, the third party process not being directly identifiable to malware as being associated with a malware scanner, and at the malware scanner, comparing the first and second versions of the information and identifying any differences that are indicative of the presence of malware. The injected code may be executable to collect the required information (fig. 1) or may be a launcher for a process that is executable to collect the required information (fig. 2). The third party process may be Windows (RTM) Explorer, Registry Editor, Task Manager or Command Prompt. The invention is able to detect Rootkits that have been developed to avoid detection by the "cross-view-diff" mechanism.</p> |
