Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and equipment for detecting course

A process and equipment technology, applied in the field of detecting hidden processes at the kernel level of the computer operating system, can solve problems such as non-universal and insufficient detection methods, and achieve the effect of ensuring accuracy

Active Publication Date: 2008-06-25
LENOVO (BEIJING) CO LTD
View PDF0 Cites 39 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The invention discloses a method and equipment for detecting a process, which are used to solve the problem that the existing process detection method is not thorough enough and not universal

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and equipment for detecting course
  • Method and equipment for detecting course
  • Method and equipment for detecting course

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0027] First, let's analyze the working principle of processes and threads. Modern operating systems generally run in a multi-task preemptive manner, and each process allocates a specific CPU time slice to achieve the purpose of execution, so that it looks like multiple tasks are running at the same time from a macro perspective. The time slice allocated by each process is determined by the CPU clock interrupt of the operating system. The system calls the interrupt to compare the time slice allocated by the current process. If the time slice is used up, it will use a specific scheduling algorithm based on the priority of each thread and other information. Select a new thread, then use its return value, an ETHREAD structure, as a parameter to complete the context switching function, thereby setting the parameters in ETHREAD, EPROCESS, and replacing the corresponding structure in the kernel processor control area (KPCRB) to After the thread switch is completed, the thread schedu...

Embodiment 2

[0042] In order to prevent an attacker from performing a similar hooking behavior on the context switching function, on the basis of the first embodiment, the dynamic monitoring and updating of the remote jump and its alarm log are added to ensure the accuracy of detection.

[0043] The specific operation of the second embodiment is that after finding the address of the context switching function in the address space, first check the first few bytes, if it is found that it has been modified to a remote jump, record the alarm log, and restore it, and then Perform remote jump modification.

[0044] Such as Figure 4 Shown, embodiment two comprises:

[0045] Step 401: Find the address of the context switching function;

[0046] Step 402: Check whether the byte in front of the address of the context switching function has been tampered with, if so, execute step 403, otherwise, execute step 404;

[0047] Step 403: restore the tampered address to its original state;

[0048] Ste...

Embodiment 3

[0053] The above two embodiments can accomplish the purpose of detecting the current process, but further judgment is needed to determine which malicious processes are hidden by the DKOM.

[0054] Any process must interact with the operating system through the API, and most of the interactions are passed to the kernel through system calls, and those processes that do not use any API can not play any role in the system, so you can use the system call manager to Intercept the system call, and then get the EPROCESS of the current process.

[0055] On the basis of embodiment one or embodiment two, embodiment three compares the process information such as detected process ID and process image file name with the current process ID and process image file name obtained by calling API, if inconsistent, It means that there is a hidden process based on the kernel level, that is, there is a DKOM rootkit.

[0056] In order to ensure that the image files of the real-time detection unit and...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a detection method for processes, which particularly aims at detecting kernel level hidden processes and comprises the following steps: address spaces of operating system kernels are searched, and addresses of a context switch function are obtained; a header address content of the context switch function is modified as a long-distance jump instruction, and process information is acquired by accessing process struct through long-distance jump. Because the invention starts off from the context switch function of a thread which is arranged at the bottom most of an operating system, realest kernel object information can be acquired; the detection method can be in common use in various operating systems and can effectively detect DKOM hidden processes; moreover, detection accuracy of the hidden processes is guaranteed through dynamic monitoring and update of the header address content of the context switch function and alarm journals. The invention also discloses a detection device for the processes.

Description

technical field [0001] The invention relates to the technical field of computer operating system security, in particular to a method and equipment for detecting hidden processes at the kernel level of a computer operating system. Background technique [0002] A rootkit (backdoor toolkit) is a tool used by computer attackers to hide their tracks and retain access. The development of rootkits can be roughly divided into three stages. The first generation of rootkits is primitive, they simply replace / modify key system files on the operating system; the second generation of rootkits is based on hooking technology, through loading applications and some Operating system components such as the system call table are patched to change the execution path, and the modification method is moved from the disk to the memory image of the loaded program; the third-generation kernel rootkit technology is realized by dynamically modifying the kernel object. [0003] Direct Kernel Object Manip...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/00G06F9/44G06F9/46G06F21/52
Inventor 李俊王凯
Owner LENOVO (BEIJING) CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com