Patent · US Active

Method and apparatus for detecting and removing kernel rootkits

US7802300B1 · kind B1 · utility

24Cited by

7References

15Claims

0Family size

Assignee

Trend Micro Incorporated · JP

Inventors

Peter Chi-Hsiung Liu · Paramus, US
Jason Yueh · Taipei, TW
Gene Lin · Taipei, TW

Key dates

Filing date	Feb 6, 2007
Grant date	Sep 21, 2010
Priority date	—
Expiry date	Jul 23, 2029

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/55
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

In one embodiment, an anti-rootkit module compares operating system kernel binary files to their loaded kernel file image in memory to find a difference between them. The difference may be scanned for telltale signs of rootkit modification. To prevent rootkits from interfering with memory access of the kernel file image, a pre-scan may be performed to ensure that paging functions and the interrupt dispatch table are in known good condition. If the difference is due to a rootkit modification, the kernel file image may be restored to a known good condition to disable the rootkit. A subsequent virus scan may be performed to remove remaining traces of the rootkit and other malicious codes from the computer.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.