Invention Grant
- Patent Title: Rootkit monitoring agent built into an operating system kernel
- Patent Title (中): Rootkit监控代理内置于操作系统内核
-
Application No.: US13959168Application Date: 2013-08-05
-
Publication No.: US08856932B2Publication Date: 2014-10-07
- Inventor: Jayakrishnan Ramalingam
- Applicant: International Business Machines Corporation
- Applicant Address: US NY Armonk
- Assignee: International Business Machines Corporation
- Current Assignee: International Business Machines Corporation
- Current Assignee Address: US NY Armonk
- Agency: Schmeiser, Olsen & Watts
- Agent John Pivnichny
- Main IPC: G06F21/56
- IPC: G06F21/56 ; G06F12/14 ; G06F21/52 ; G06F21/55
Abstract:
An approach for detecting a kernel-level rootkit is presented. A changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT) is detected. The changed entry results from an installation of suspect software. The changed entry is determined to be not referenced by a white list. A black list is updated to reference the changed entry to indicate the changed entry results from an installation of the kernel-level rootkit. The suspect software is determined to be the kernel-level rootkit based on the changed entry not being referenced by the white list. The changed entry is restored to an entry included in a first state of an operating system kernel. The first state is based on the SSDT and IDT referencing hooks indicated in the white list, where the hooks are not the result of an installation of any kernel-level rootkit.
Public/Granted literature
- US20130318612A1 ROOTKIT MONITORING AGENT BUILT INTO AN OPERATING SYSTEM KERNEL Public/Granted day:2013-11-28
Information query
