Atomic detection and repair of kernel memory

摘要

A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications.

主权项

1. A method for detecting memory modifications, comprising:
allocating a contiguous block of a memory of an electronic device, the electronic device comprising a plurality of processing cores; loading instructions for detecting memory modifications into the contiguous block of memory, the entirety of the instructions loaded within the contiguous block; disabling the operation of an operating system of the electronic device by disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts; disabling all but one of the plurality of processing cores of the electronic device, the remaining processing core executing the instructions, as resident within the contiguous block, for detecting memory modifications; scanning the memory of the electronic device for modifications performed by malware, after disabling all but one of the plurality of processing cores and disabling one or more of system interrupts, user interrupts, or scheduler timer interrupts; repairing a memory modification detected during scanning the memory of the electronic device for modifications performed by malware; enabling the one or more of system interrupts, user interrupts, or scheduler timer interrupts that were disabled, after repairing the memory modification; and enabling the processing cores that were disabled, after repairing the memory modification.