| 发明名称 | Method of detecting malware in an operating system kernel | ||
| 摘要 | The present invention relates to means for detecting malware. The method is realized on a computer with an operating system (OS) installed thereon, and comprises a step in which a point of interrupt is established when a system call is made by a user application requesting the transfer of control via an address in the kernel of the loaded OS. Next, the data structure of the loaded OS is checked. As this check is carried out, the address of the command in the random-access memory of the computer, by means of which command control will be transferred during the system call, is determined and the addresses of the commands to be executed during the system call are checked to see if they belong to the normal range of addresses of the OS kernel and OS kernel modules in the random-access memory. The presence of malware is then detected in the event that a command address does not belong to the normal range of addresses. The proposed method includes a dynamic check of the execution of the OS kernel code in order to detect the illegal interception and alteration of the code in the kernel and in the kernel modules (drivers) that are to be loaded. The proposed method enables the detection of both known and previously unregistered malware in an OS kernel and in OS kernel modules that are to be loaded. | ||
| 申请公布号 | US9177149(B2) | 申请公布日期 | 2015.11.03 |
| 申请号 | US201314391763 | 申请日期 | 2013.03.27 |
| 申请人 | Joint Stock Company “InfoTeCS” | 发明人 | Olshanov Konstantin Dmitrievich;Tumoyan Evgeny Petrovich;Cherementsev Sergei Nikolaevich |
| 分类号 | G06F11/00;G06F21/56;G06F21/55 | 主分类号 | G06F11/00 |
| 代理机构 | Honigman Miller Schwartz and Cohn LLP | 代理人 | Honigman Miller Schwartz and Cohn LLP |
| 主权项 | 1. A method of detecting malware in a kernel of an operating system installed on a computer, the method comprising the steps of: setting a break point when a user application makes a system call requesting to transfer control to an address in the kernel of the loaded operating system; checking a data structure of the loaded operating system by performing the following steps: determining an address of a command, to which the control will be transferred during the system call, in a random-access memory of the computer, andchecking whether addresses of commands to be executed during the system call belong to a normal range of addresses of the operating system kernel and kernel modules in the random-access memory; and identifying presence of malware if a command address does not belong to the normal range of addresses. | ||
| 地址 | Moscow RU | ||