Patent · US Active

Detecting user-mode rootkits

US8661541B2 · kind B2 · utility

14Cited by

5References

17Claims

0Family size

Assignee

Microsoft Corporation · US

Inventors

Douglas Beck · Colorado Springs, US
Yi-Min Wang · Shanghai, CN

Key dates

Filing date	Jan 3, 2011
Grant date	Feb 25, 2014
Priority date	—
Expiry date	Jan 3, 2031

Classification

Technology area (CPC G)Physics
CPC primaryG06F2221/2105
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.