摘要 |
PURPOSE: A malware hooking preventing device and a method thereof are provided to prevent hooking caused by malware and recover a function of a hooked OS(Operating System) based on an extracted original execution command. CONSTITUTION: A branch confirming unit(211) activates a branch tracing function of a CPU to confirm an address of a branch execution command in functions of an OS and confirm an address of a return execution command for returning to the functions of the OS in a hooking function branched according to the branch execution command. A determining unit(212) compares a factor value lastly stored in a stack related to the hooking function with a factor value designated when the functions of the OS are being called. If the factors are same, an extracting unit(213) extracts an original execution command for the functions of the OS from the hooking function based on the addresses of the branch and return execution commands. [Reference numerals] (211) Branch confirming unit; (212) Determining unit; (213) Extracting unit; (214) Restoring unit; (215) Execution command confirming unit; (216) Address calling unit; (217) First calculation unit; (218) Second calculation unit; (219) Execution command extracting unit
|