| US 7,571,482 B2 | ||
| Automated rootkit detector | ||
| Alexey A. Polyakov, Sammamish, Wash. (US); Gretchen L. Loihle, Redmond, Wash. (US); Mihai Costea, Redmond, Wash. (US); Robert J. Hensing, Jr., York, S.C. (US); Scott A. Field, Redmond, Wash. (US); Vincent R. Orgovan, Bellevue, Wash. (US); Yi-Min Wang, Bellevue, Wash. (US); and Yun Lin, Kirkland, Wash. (US) | ||
| Assigned to Microsoft Corporation, Redmond, Wash. (US) | ||
| Filed on Jun. 28, 2005, as Appl. No. 11/170,792. | ||
| Prior Publication US 2006/0294592 A1, Dec. 28, 2006 | ||
| Int. Cl. G06F 12/14 (2006.01); G06F 11/00 (2006.01) | ||
| U.S. Cl. 726—24 [726/22; 726/23; 726/25; 713/188; 709/201; 709/202; 709/217; 709/218] | 19 Claims |
| 1. In a computer that comprises
an operating system, a method of identifying a program configured to conceal malware installed on the computer, the method
comprising:
employing kernel debugger facilities to obtain data maintained by the operating system by causing the kernel debugger facilities
to set a break point when a suspicious activity inclusive of a characteristic of a RootKit is identified; and
checking the data, representing contents of a data structure when the breakpoint was set, and obtained by the kernel debugger
facilities, for inconsistencies that are characteristic of a program that conceals malware,
wherein the computer includes a computer-readable storage medium comprising the kernel debugger facilities executable by the
computer.
|