Unlock instant, AI-driven research and patent intelligence for your innovation.

System and method for detecting malware targeting computer boot process

一种目标计算机、计算机系统的技术,应用在恶意程序进行检测领域

Active Publication Date: 2015-09-02
AO KASPERSKY LAB
View PDF9 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Disadvantages of this type of approach include the need for specialized external disks or devices and the need for users to take specific, targeted actions through the use of external boot techniques for boot process malware assessment

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • System and method for detecting malware targeting computer boot process
  • System and method for detecting malware targeting computer boot process
  • System and method for detecting malware targeting computer boot process

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0023] The computer boot process is a complex process with many details and nuances that can generally be broken down into two phases: initial boot and operating system boot. After the computer is turned on, the power supply tests all necessary voltage levels; if all voltage levels correspond to normal levels, the motherboard receives a PowerGood signal. In the initial state, the processor's input receives a RESET signal, which keeps the processor in reset. But after receiving a PowerGood signal from the power supply, the RESET signal will be removed and the processor will start executing its first instruction. Therefore, after the power test, the processor starts in the following state: the command register CS contains 0xFFFF, the command pointer (IP register) contains 0, and the data and stack segment registers contain 0. After RESET is removed, the processor executes the instruction at address 0xFFFF0, which is where the ROM BIOS area resides in real mode. Its size is 16 ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

System and method for detecting malware on a target computer system having a bootable device. Boot process information stored on the bootable device that at least partially defines a boot process of the target computer system is obtained, along with physical parameter data defining a storage arrangement structure of the bootable device. The boot process of the target computer system is emulated based on the boot process information and on the physical parameter data. The emulation includes executing instructions of the boot process information and tracking data accessed from the bootable device. A data structure representing the data accessed from the bootable device is stored during the emulation of the boot process. The data structure can be analyzed for any presence of boot process malware.

Description

technical field [0001] The present invention relates generally to information processing and security, and, more particularly, to detecting malicious programs that infect the boot process of a computer system. Background technique [0002] As malware perpetrators continue to develop new technologies, protecting computer systems from malware, ie unwanted programs such as computer viruses, Trojan horses, worms, rootkits, and the like, is an evolving challenge. Of particular concern is malware known as bootkits, which alter the boot process of a computer system. These are among the most difficult malware to detect on modern computer systems. Exploitation during the boot process can allow harmful code to bypass existing protection features, hide itself, and worsen the computer's ability to detect and remove harmful processes. [0003] The computer boot process has several steps, including testing and initialization of hardware, booting of the operating system, and automatic lo...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56H04L69/40
CPCG06F21/575G06F21/53
Inventor 尤里·G·帕新弗拉季斯拉夫·V·培提斯基
Owner AO KASPERSKY LAB