摘要 |
A system for detecting a malicious behavior of a kernel mode and a method thereof are provided to change the address of a dispatcher function, corresponding to the driving of an actual kernel mode driver, into an address value, corresponding to the virtual execution. A kernel mode object control module(200) grasps the address of a dispatcher function on a memory, which is calculated according to the actual driving of an arbitrary kernel mode driver based on object information about the kernel mode driver. In case the grasped actual address information of the dispatcher function is different from the address information returned from a kernel mode virtual execution module(100), the kernel mode object control module changes the address of the dispatcher function into the returned address. |