Patent · US Active

Method and apparatus for detecting hidden rootkits

US7665123B1 · kind B1 · utility

45Cited by

2References

11Claims

0Family size

Assignee

Symantec Corporation · US

Inventors

Peter Szor · San Fernando, US
Mark Kennedy · Redondo Beach, US

Key dates

Filing date	Dec 1, 2005
Grant date	Feb 16, 2010
Priority date	—
Expiry date	Mar 3, 2028

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/56
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

In one embodiment an IO request packet (IRP) attempting to access a computer disk is evaluated to determine if the request identifies an area of a computer disk to be accessed that is marked as bad in a file system. When the request identifies an area of the computer disk to be accessed that is marked as bad in a file system, the request is assumed to be indicative of a rootkit. In another embodiment an IO request packet is evaluated to determine if the request identifies an area of the computer disk to be accessed that was not identified in requests detected in the file system level of the kernel. When the stalled request identifies an area of the computer disk to be accessed not detected in requests detected in the file system level of the kernel, the request is assumed to be indicative of a rootkit.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.