System and method for below-operating system trapping of driver loading and unloading

摘要

A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system.

主权项

1. A system for protecting an electronic device against malware, comprising:
a hardware processor; a memory communicatively coupled to the processor; an operating system to load and unload a driver in the operating system; a trapping agent comprising instructions in the memory for execution by the processor and configured to trap an attempted access of one or more resources of the operating system, the attempted access comprising an attempted loading or unloading of the driver in the operating system, wherein the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver; and a triggered-event handler comprising instructions in the memory for execution by the processor; wherein: the trapping agent is further to send information about the trapped attempt, including the loading or unloading of the driver, to the triggered-event handler; the triggered-event handler to: access one or more security rules based on the information; evaluate the attempted loading or unloading of the driver in view of the security rules; and send an evaluation to the trapping-agent; and the trapping agent is further configured to: take corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and allow the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe; and the trapping agent and the triggered-event handler are further to operate at a level below all operating systems of the electronic device accessing the one or more resources, including running on a processor of the system without use of an operating system.