Method and device of detection processing of core-level rootkit

A processing method and a kernel-level technology, applied in the computer field, can solve problems such as the inability to detect the recovery of a kernel-level rootkit system well, and achieve the effect of ensuring safe operation and improving reliability.

Inactive Publication Date: 2014-04-02
TCL CORPORATION
View PDF5 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0018] In view of the above-mentioned deficiencies in the prior art, the object of the present invention is to provide a kernel-level rootkit detection and processing method and system, aiming to solve the problem that the current Android system cannot detect kernel-level rootkits well and perform system recovery

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device of detection processing of core-level rootkit
  • Method and device of detection processing of core-level rootkit
  • Method and device of detection processing of core-level rootkit

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0053] The invention provides a kernel-level rootkit detection and processing method and a related system. In order to make the object, technical solution and effect of the present invention more clear and definite, the present invention will be further described in detail below. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

[0054] Such as figure 2 A kernel-level rootkit detection processing method shown, wherein the method includes the following steps:

[0055] S100. Pre-save the signature generated by the new load module node in the current node of the kernel module linked list, and save the signature generated by the current node of the kernel module linked list in the new load module node.

[0056] The Android system maintains the kernel module through a global two-way linked list. Each node of the linked list includes data and two pointers to the predecessor and...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and a device of detection processing of a core-level rootkit. The method comprises the following steps of A, pre-storing a new loading module node signature at a current node of a core module chain table, and storing a current node signature into a new loading module node; B, loading a new module, judging whether the signature stored in the new loading module node is matched with the current node signature or not, judging whether the signature stored in the current node is matched with the new loading module node signature or not, if one is not matched, preforming the step C; C, comparing a currently operational system call table with a spare system call table, if not consistent, generating a report of discovering a hidden module. According to the method and the device, invasion of the rootkit is detected by setting a mutually matching mechanism of the new loading module and the current node signature of the chain table, and the report is further affirmed through comparing the system call table with a spare reference file, so that the reliability of a detection result is improved, and meanwhile, through setting a system recovery method, safety operation of the system is ensured.

Description

technical field [0001] The invention relates to the field of computer technology, in particular to a kernel-level rootkit detection and processing method and system. Background technique [0002] The number of malware in the Android system is growing rapidly, but the research on Android security is far behind. Rootkit technology is one of the main technical means used by malicious programs to hide themselves. The principle is: the system call implementation function is located in the kernel space, and the loadable kernel module can access various resources in the kernel space through the kernel symbol table, which is It is possible for the attacker to write a LKM (Loadable Kernel Modules) and use the HOOK technology to hook the system call to execute the attacker's code fragment. Existing kernel-level rootkits are implemented based on this principle. The rootkit that modifies the system call table modifies some system call function addresses located in the system call tabl...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06F21/51
CPCG06F21/564G06F21/51
Inventor 孙向作
Owner TCL CORPORATION
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap