Patent · US Active

Detecting user-mode rootkits

US7874001B2 · kind B2 · utility

142Cited by

1References

13Claims

0Family size

Assignee

Microsoft Corporation · US

Inventors

Douglas Beck · Colorado Springs, US
Yi-Min Wang · Shanghai, CN

Key dates

Filing date	Jul 15, 2005
Grant date	Jan 18, 2011
Priority date	—
Expiry date	Jan 20, 2029

Classification

Technology area (CPC G)Physics
CPC primaryG06F2221/2105
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.