Invention Grant
US08281393B2 Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table
有权
用于检测修改内核模式系统服务调度表的Windows rootkit的方法和系统
- Patent Title: Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table
- Patent Title (中): 用于检测修改内核模式系统服务调度表的Windows rootkit的方法和系统
-
Application No.: US11594095Application Date: 2006-11-08
-
Publication No.: US08281393B2Publication Date: 2012-10-02
- Inventor: Ahmed Sallam
- Applicant: Ahmed Sallam
- Applicant Address: US CA Santa Clara
- Assignee: McAfee, Inc.
- Current Assignee: McAfee, Inc.
- Current Assignee Address: US CA Santa Clara
- Agency: Patent Capital Group
- Main IPC: G06F21/00
- IPC: G06F21/00
Abstract:
A method, system, and computer program product for detecting a kernel-mode rootkit that hooks the System Service Dispatch Table (SSDT) is secure, avoids false positives, and does not disable security applications. A method for detecting a rootkit comprises the steps of calling a function that accesses a system service directly, receiving results from calling the function that accesses the system service directly, calling a function that accesses the system service indirectly, receiving results from calling the function that accesses the system service indirectly, and comparing the received results from calling the function that accesses the system service directly and the received results from calling the function that accesses the system service indirectly to determine presence of a rootkit.
Public/Granted literature
Information query
