CN100596336C - System and method for removing ROOTKIT - Google Patents

System and method for removing ROOTKIT Download PDF

Info

Publication number
CN100596336C
CN100596336C CN 200610066816 CN200610066816A CN100596336C CN 100596336 C CN100596336 C CN 100596336C CN 200610066816 CN200610066816 CN 200610066816 CN 200610066816 A CN200610066816 A CN 200610066816A CN 100596336 C CN100596336 C CN 100596336C
Authority
CN
China
Prior art keywords
information
system
rootkit
operating system
detection means
Prior art date
Application number
CN 200610066816
Other languages
Chinese (zh)
Other versions
CN101046836A (en
Inventor
杨文兵
Original Assignee
联想(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 联想(北京)有限公司 filed Critical 联想(北京)有限公司
Priority to CN 200610066816 priority Critical patent/CN100596336C/en
Publication of CN101046836A publication Critical patent/CN101046836A/en
Application granted granted Critical
Publication of CN100596336C publication Critical patent/CN100596336C/en

Links

Abstract

The present invention discloses a system for clearing ROOTKIT and method, in which said system includes; virtual machine monitor, service operation system operated on the virtual machine monitor and at least one customer operation system. Said customer operation system includes detection tool proxy module, and the service operation system includes detection tool. Besides, said invention also provides the concrete steps of said method clearing ROOTKIT by using said system.

Description

一种清除ROOTKIT的系统及方法 A system and method for the removal of ROOTKIT

技术领域 FIELD

本发明涉及清除病毒的系统及方法,尤其涉及一种清除ROOTKIT的系统及方法。 The present invention relates to a system and method of clearing the virus, and particularly to a system and method ROOTKIT removal. 背景技术 Background technique

随着商业用户对个人计算机(PC)依赖性的不断加大,用户在PC上主要的检查病毒与木马的工具是防(杀)病毒及防(杀)木马工具软件,这些工具工作原理是在系统运行时,扫描系统内存中的进程及硬盘上保存的系统文件,并匹配相关特征文件,从而发现病毒及木马。 As business users of personal computers (PC) increasing dependence of users on the PC main virus checking and anti-Trojan tool (killing) virus and anti (kill) Trojan software tools, these tools are in the works the system is running, scanning system memory in the process and saved on the hard disk file system, and associated matching profile, which found viruses and Trojans. ' '

操作系统是由内核(Kernel)和外壳(Shell)两部分组成的,其中:内核负责一切实际的工作,包括CPU任务调度、内存分配管理、设备管理、文件操作等;外壳是基于内核提供的交互功能而存在的界面,它负责指令传递和解释。 The operating system is the kernel (Kernel) and two parts of the housing (Shell) thereof, wherein: the kernel is responsible for all the practical work, including CPU scheduling, memory allocation management, device management, and file operations; shell is based interaction provided by the kernel function present at the interface, which is responsible for passing instructions and explanations. 一般的进程查看工具和杀毒软件也不例外,能看到的进程其实是内核"看到"并通过相关接口指令(API)反馈到应用程序的,这样就不可避免的存在一条数据通道。 The general process of viewing tools and antivirus software is no exception, can see the process is actually the kernel to "see" and fed back to the application through the relevant interface commands (API), so that the inevitable presence of a data channel. 简单而言,ROOTKIT设法让自己达到和内核一样的运行级别,甚至进入内核空间,这样它就拥有了和内核一样的访问权限,因而可以对内核指令进行修改,最常见的是修改内核枚举进程的API,让它们返回的数据始终"遗漏"ROOTKIT自身进程的信息, 一般的进程工具自然就"看" 不到ROOTKIT 了。 In simple terms, ROOTKIT trying to convince myself to achieve the same running kernel level, and even into the kernel space, so that it has the same access to the kernel, which can modify the kernel command, the most common is to modify the kernel enumeration process the API, so that they return data is always "missing" information ROOTKIT own process, the general process tool naturally not "see" the ROOTKIT. 更高级的ROOTKIT还篡改更多API,这样,用户就看不到进程(进程API被拦截),看不到文件(文件读写API被拦截),看不到被打开的端口(网络组件SOCKAPI被拦截),更拦截不到相关的网络数据包(网络组件NDISAPI被拦截)了,这样ROOTKIT通过监听系统的功能、用合法的数值取代返回的数据。 More advanced ROOTKIT also more tamper API, so that the user can not see the process (the process of being intercepted API), see the file (the file API to read and write was blocked), can not see the open ports (network components are SOCKAPI intercept), more intercepting network packets not associated (NDISAPI intercepted network components), and this function by ROOTKIT monitoring system, substituted with valid data returned value. ROOTKIT其它的秘密活动包括掩盖网络活动和修改WINDOWS注册表,达到了隐藏其代码不被发现的目标。 ROOTKIT to cover other secret activities include network activity and modify the registry WINDOWS, reaching its code to hide undetected targets.

当病毒或者木马采用ROOTKIT技术时,其病毒本身内存中进程和硬盘保存的文件被隐藏起来,则不会被防病毒、防木马工具软件发现,更不会与特征文件进行匹配,因此采用ROOTKIT技术的病毒与木马不会被采用现有技术的防病毒与防木马的工具软件发现。 When a virus or Trojan uses ROOTKIT technology, which is the virus itself in the process of memory and hard drive to save the file is hidden, it will not be anti-virus, anti-spyware software discovery tool, but will not match the signature file, so the use of technology ROOTKIT viruses and Trojans are not used in the prior art anti-virus and anti-spyware software discovery tool.

系统中隐藏的病毒及木马,轻则破坏系统,重则盗取用户合同、银行帐号等敏感数据,给用户带来严重地损失。 System hidden viruses and Trojan horses, ranging from damage to the system, while steal user contract, bank account numbers and other sensitive data, giving users serious losses.

目前,最可靠地检测ROOTKIT的办法是关闭操作系统(OFFLINEOS) 检测。 Currently, the most reliable way to detect ROOTKIT closed operating system (OFFLINEOS) detection. 例如,系统自身启动,然后列出所有的文件、REGISTRY项等等。 For example, the system itself starts, and then list all the files, REGISTRY entries and so on. 然后用WINPE从CD启动,再列出所有的文件、REGISTRY项。 Then start with WINPE from the CD, and then list all the files, REGISTRY entries. 这时,对比两个列表,在正常情况下,两个列表中所列内容应该是一样的,如果出现不一样的地方,就可以发现那些在用自身系统启动的情况下看不到的文件。 Then, compare the two lists, under normal circumstances, the two lists list should be the same, if not the same place appears, you can find those who do not see themselves in the case of a system startup file.

该方法的主要缺点是: The main disadvantage of this approach are:

1) 该方法只能检测硬盘中文件,对于可能通过网络或方式进入系统或系统中运行态的进程无法检查; 1) This method can only detect the hard disk files, the system may enter or for processes running state or by way of a network not check;

2) 关闭系统会给用户带来不便,特别是对于某些24小时不能停机的重要系统(例如,银行的授权系统等),关闭系统的方法是不现实的; 2) Close the system will give users inconvenience, especially for some 24 hours can not be shut down critical systems (e.g., banking authorization system, etc.), shut down the system approach is impractical;

3) 由于ROOTKIT是未知的,不仅査找ROOTKIT存在困难,而且ROOTKIT如何替换系统核心文件和API是未知的,清除未知ROOTKIT存在技术问题。 3) Because ROOTKIT is unknown, only to find difficulties ROOTKIT, and how to replace the system core files and ROOTKIT API is unknown, unknown ROOTKIT remove technical problems exist.

发明内容 SUMMARY

本发明的目的在于,提供一种清除ROOTKIT的系统。 Object of the present invention is to provide a system ROOTKIT cleared. 本发明的另一目的在于,提供一种清除ROOTKIT的方法。 Another object of the present invention is to provide a method of clearing ROOTKIT. 本发明的清除ROOTKIT的系统,包括虚拟机监视器,以及运行在虚拟 Clear ROOTKIT system according to the present invention, includes a virtual machine monitor, and operate in a virtual

机监视器上的服务操作系统和至少一个客户操作系统,其中: Service operating system on the machine monitor and at least one guest operating system, including:

所述客户操作系统包括检测工具代理模块,用于在客户操作系统运行时, The operating system comprises a client agent module detection tool for the guest operating system is running,

收集客户操作系统中信息; Operating system to collect customer information;

所述服务操作系统包括检测工具; The service operating system comprises detecting means;

所述检测工具,用于在虚拟机监视器中收集客户操作系统运行时的信息, 并将收集的信息与所述检测工具代理模块收集的信息相比较,判断是否存在ROOTKIT,并依照检测工具代理模块中收集的信息,将被ROOTKIT修改的信息替换。 Said detection means for collecting information in a virtual machine monitor running the guest operating system, and the information is compared with information collected by the detection means of collected agent module determines whether there ROOTKIT, and in accordance with the detected Agents collected information module, the information to be modified ROOTKIT replacement. 所述服务操作系统还可以包括原始系统文件参照模块,用于在客户操作系统最初运行时,保存初始系统信息。 The system may further include a service operation the original file system reference module for the first guest operating system is running, save the initial system information.

所述收集的信息为文件列表信息或者系统内存状态信息。 The collected information file list information or the state information of the system memory. 所述系统内存状态信息为系统API接口地址信息及API对应的程序代码。 The system memory status information for the system API interface and address information corresponding to program code API.

本发明的清除ROOTKIT的方法,包括以下步骤: Clear ROOTKIT the method of the present invention, comprising the steps of:

步骤A)检测工具代理模块收集用户在客户操作系统中的信息; Step A) detection tool agent module collects the user information in the client operating system;

步骤B)运行于虚拟机监视器上的服务操作系统检查运行于虚拟机监年见器3上的客户操作系统中是否存在被ROOTKIT修改的信息; Step B) running on a virtual machine monitor service checks the operating system running in a virtual machine monitor to see if there is information to be modified ROOTKIT guest operating system on the device 3;

步骤C)如果存在ROOTKIT,则依照检测工具代理模块收集的信息,将被ROOTKIT修改的信息替换,清除ROOTKIT。 Step C) ROOTKIT If present, the detection means in accordance with information collected by the agent module, the information to be modified ROOTKIT Alternatively, ROOTKIT clear.

所述步骤B)可以包括下列步骤: Said step B) may comprise the steps of:

步骤B1)检测工具在虚拟机监视器中收集客户操作系统打开的信息; Step B1) gathering information detecting open guest operating system in a virtual machine monitor;

步骤B2)客户操作系统中的检测工具代理模块收集在客户操作系统1中打开的信息,并将收集的信息传输给服务操作系统的检测工具; Step B2) of the guest operating system tool agent detection module to collect information in a guest operating system to open, and transmitting the collected information to the service system for detecting the operating tool;

步骤B3)将所述步骤B1)中检测工具收集的信息与步骤B2)中检测工具代理模块收集的信息进行比较,判断是否存在差异信息; Step B3) the step B1) detected tool information collecting step B2) detection tool information collected by the agent module, and determines whether there is difference information;

步骤B4)如果没有差异信息,则客户操作系统中没有ROOTKIT,检査过程结束;如果有差异信息,则客户操作系统中存在ROOTKIT。 Step B4) If there is no difference information, the client operating system does not ROOTKIT, the end of the inspection process; if there is difference information, the client operating systems exist ROOTKIT.

所述步骤C)还可以包括下列步骤: Said step C) may further comprise the steps of:

检测工具,用步骤B2)中检测工具代理模块收集的信息,替换被 Detection means, information detected by the tool agent module collects step B2) is replaced

ROOTKIT修改的差异信息,清除ROOTKIT。 ROOTKIT modified difference information, clear ROOTKIT.

本发明的査杀ROOTKIT的方法,还可以包括以下步骤: 服务操作系统中原始系统文件参照模块对客户操作系统中初始系统信息 ROOTKIT killing method of the present invention, may further comprise the step of: operating system service reference to the original file system module information GOS initial system

进行保存; Save;

针对差异信息,检测工具用原始系统文件参照模块中保存的初始系统信息替换硬盘保存的实际被ROOTKIT修改的信息。 For the difference information, detection means replace the actual information stored in the hard disk ROOTKIT modified reference initially stored in the system module information of the original file system.

所述收集的信息为文件列表信息或者系统内存状态信息。 The collected information file list information or the state information of the system memory. 所述系统内存状态信息为API接口地址信息和API对应的程序代码。 The system memory status information for the API interface and address information corresponding to program code API.

6本发明的有益效果是:根据本发明的清除ROOTKIT的系统及方法,在操作系统实时运行时,可靠地清除未知ROOTKIT,且本发明的检测工具以及原始系统文件参考模块运行于操作系统之外的VMM控制的服务操作系统内存区域,攻击操作系统安全软件的病毒及木马无法攻击到VMM以及服务操作系统,因此检测工具以及原始系统文件参考模块不会受到攻击,安全性高。 Advantageous effects of the invention is 6: The system and method of the present invention ROOTKIT clear, real-time operating system is running, unknown ROOTKIT reliably remove, and detection means and the original file system module according to the present invention with reference to the operating system running on the VMM control service operating system memory area, attack the operating system and security software Trojan virus can not attack the VMM and service operating system, file system detection tools and original reference module will not be attacked, safe. 附图说明 BRIEF DESCRIPTION

图1为本发明一实施例的清除ROOTKIT的系统结构示意图; 图2为本发明一实施例的清除ROOTKIT的方法流程图; 图3为本发明另一实施例的清除ROOTKIT的系统结构示意图; 图4为本发明另一实施例的清除ROOTKIT的方法流程图。 FIG 1 is a schematic system configuration according to a clear ROOTKIT embodiment of the present invention; FIG. 2 is a flowchart of a method ROOTKIT clear to an embodiment of the present invention; ROOTKIT clear system structure diagram according to another embodiment of the present invention. FIG. 3; FIG. Clear ROOTKIT method according to another embodiment of the present invention 4 flowchart. 具体实施方式 Detailed ways

以下将结合附图1~4详细说明本发明的清除ROOTKIT的系统及方法。 In conjunction with the accompanying drawings will clear the system and method of the present invention ROOTKIT 1 to 4 in detail. 实施例1 Example 1

图1为本发明一实施例的清除ROOTKIT的系统结构示意图。 FIG 1 is a schematic of a system configuration example of a clear ROOTKIT embodiment of the present invention. 如图1所示,本实施例的清除ROOTKIT的系统包括:至少一个客户操 1, the system of the present embodiment clear ROOTKIT embodiment comprises: at least a guest operating

作系统(客户OS) 1 、服务操作系统2、虚拟机监视器(Virtual Machine Monitor, For the system (client OS) 1, 2 service operating system, virtual machine monitor (Virtual Machine Monitor,

VMM) 3。 VMM) 3.

其中,虚拟机监视器3,运行在支持虚拟计算指令的硬件平台上,并在其上运行现有的各种操作系统(包括本发明的客户操作系统1以及服务操作系统2);服务操作系统2,其运行于虚拟机监视器3上,包括检测工具22, 用于在虚拟机监视器3中直接收集客户操作系统1运行时的信息(例如,打开的文件集、进程集以及API接口地址等信息),其在客户操作系统l中设置有检测工具代理模块22',用于收集在客户操作系统l中用户打开的信息(例如,打开的文件集、进程集以及API接口地址等信息);客户操作系统l,包括所述服务操作系统2中检测工具代理模块22',用于收集在客户操作系统1 中用户打开的信息,并将收集的信息传输至检测工具22。 Wherein the virtual machine monitor 3, run, and run on command on a support virtual computing hardware platform conventional operating systems (the present invention includes a client operating system and the service operating system 1 2); service operating system 2, which is running on the virtual machine monitor 3, comprising detection means 22, for information (e.g., set to open the file, set, and the process of collecting the API interface address guest operating system running in a virtual machine monitor directly 3 and other information), which is provided with a detection tool proxy module 22 'in the guest operating system l, collecting information for the guest operating system in the user opens l information (e.g., set to open the file, the process sets and API interface address, etc.) ; L guest operating system, including operating system means 2 detects the service agent module 22 ', for collecting information on the guest operating system to open a user, and transmits the collected information to the detection of the tool 22.

以上,检测工具22及检测工具代理模块22,所收集到的信息包括:l)文件列表信息:存储在存储设备上的文件清单;2)系统内存状态信息,包括系统API接口地址以及API接口相应的程序代码等。 The above information, the detection means 22 and detection means proxy module 22, collected include: L) file list information: a list of files stored on the storage device; 2) system memory status information, including system API interface address, and API interface corresponding program code and so on. 可以理解的是,如果客户操作系统l中存在ROOTKIT,由于ROOTKIT 会隐藏其自身以及被其修改的文件或者系统API接口等信息,因此检测工具代理模块22,中显示的收集到的信息则是为未被ROOTKIT修改的原始信息(例如,原始系统文件、原始API接口等信息)。 It will be appreciated that, if there ROOTKIT GOS l, since ROOTKIT hide itself and the files or system API interface the modifications thereof, the detection tool agent module 22, the information collected in the display is for ROOTKIT original information has not been modified (e.g., the original file system, information such as the original API interface).

具体的,当客户操作系统1最初运行时,检测工具22开始运行于虚拟机监视器3上,用于在虚拟机监视器3中直接收集客户操作系统1运行时的信息(包括文件集、进程集、API接口地址以及API相应的程序代码等),并与从检测工具代理模块22,传输来的在客户操作系统1中收集的信息进行比较, 如果发现某些文件或者进程只存在于检测工具22收集的集合中,而检测工具代理模块22'中未收集到,则差异文件有可能是ROOTKIT;如果检测工具22 收集的API接口地址与检测工具代理模块22'收集的API接口地址不一致时, 则差异API接口地址为ROOTKIT替换的API接口。 Specifically, when a first guest operating system is running, the detection tool 22 starts to run on a virtual machine monitor 3, information for the virtual machine monitor when the direct collection of 3 runs a guest operating system (including a set of files, the process set, API and API interface address corresponding program code, etc.) and 22, compared to the transmission of information in the guest operating system 1 collected from the tool agent detection module, some files if found to exist only in the process or inspection tool 22 set collected, and detection means proxy module 22 'are not collected, the difference file might be ROOTKIT; if detection means 22 collects API interface address detection means proxy module 22' do not coincide API interface address collection, the difference between the API interface address ROOTKIT alternative API interface. 此时,检测工具22将依照检测工具代理模块22,中收集的信息,即未被ROOTKIT修改的原始信息, 包括原始系统文件、原始API接口地址及相应的程序代码,替换硬盘保存的实际被ROOTKIT修改的系统文件、API接口地址及相应的程序代码,从而清除未知的ROOTKIT。 In this case, the detection means 22 in accordance with the information collected in 22 detection tool agent module, i.e. ROOTKIT not modify the original information, the system comprising an original document, the original API interface address and the corresponding code, is actually stored in the hard disk replacement ROOTKIT modify the file system, the API interface address and the corresponding code, thereby removing the unknown ROOTKIT.

以下,参照图2介绍本发明的清除ROOTKIT的方法,包括以下步骤-步骤101 )服务操作系统2中检测工具22开始在虚拟机监视器3上运行, 并通过虚拟机监视器3收集用户在客户操作系统1中打开的信息(例如,打开的文件集、进程集以及API接口地址等信息),并通知客户操作系统1中检测工具代理模块22,收集用户在客户操作系统1中打开的信息(包括文件集、 进程集以及API接口地址等); Hereinafter, with reference to FIG. 2 describes a method to clear ROOTKIT present invention, comprises the steps of - Step 101) service operating system 2 detects tool 22 starts to run on a virtual machine monitor 3, and collected by the virtual machine monitor user client 3 OS 1 open information (e.g., open a file set, the process sets and API interface address and other information), and notifies the guest operating system in a detection tool agent module 22, collect user information in the guest operating system in an open ( including a set of files, the set of processes and API interface address, etc.);

步骤102)客户操作系统1中的检测工具代理模块22'将其在客户操作系统1中收集的信息传输至服务操作系统2中的检测工具22; Step 102) a guest operating system in the proxy module detection means 22 'which transmit information to the service operating system 1 collected in the client operating system 22 in the second detecting means;

步骤103)检测工具22将步骤101)中检测工具22收集的信息与步骤102)中检测工具代理模块22,收集的信息进行比较,判断是否存在差异信息(例如,差异文件、差异进程以及差异API接口地址等),如果不存在差异信息,则客户操作系统1中没有ROOTKIT,则向客户操作系统1提示后结束检查过程,否则,执行步骤104); 8步骤104)针对差异信息,检测工具22用检测工具代理模块22,中收集的相应信息,替换硬盘保存的实际被ROOTKIT修改的信息(例如,系统文件、API接口地址以及API相应的程序代码等),从而清除未知的ROOTKIT。 Step 103) detection means 22 in step 101), the detection means 22 the information collected in step 102) detection tool agent module 22, the collected information, and determines whether there is difference information (e.g., a difference file, the difference process and the difference API Interface address, etc.), if the difference information does not exist, the client operating system 1 is not ROOTKIT, the end of the inspection process to the guest operating system after a prompt, otherwise, step 104); 8 step 104) 22 for the difference information, detection means , information collected by the respective detection means proxy module 22, the actual replacement drive to save the modified ROOTKIT information (e.g., file system, API and API interface address corresponding code, etc.), thereby clearing ROOTKIT unknown.

下面,结合一个具体的例子来说明本发明的方法在实际系统中的应用- Hereinafter, in conjunction with a specific example to illustrate the application of the method according to the present invention in an actual system -

服务操作系统2中检测工具22在虚拟机监视器3上运行,并基于虛拟机监视器3收集在客户操作系统1运行时打开的文件为1、 2、 3和4;客户操作系统1中检测工具代理模块22,收集直接在客户操作系统1中打开的文件为1和2,且该文件1的内容与检测工具22收集的文件1的内容有差异,在检测工具22收集的文件1的内容是abc,而检测工具代理模块22'收集的文件1 的内容是def。 2 detects the operating system service tool 22 running on a virtual machine monitor 3, and file 3 is collected in a virtual machine monitor running a guest operating system is opened based on 1, 2, 3, and 4; guest operating system detects a tool agent module 22, collecting opened directly in the client operating system files 1 and 2, and 1 of the document contents and the detection means 22 the collected documents are different content 1, the content file detected tool 22 collectible It is abc, and the content detection means proxy module 22 'is a collection of files def.

上述收集过程说明: Collection process described above:

1) 文件3和4是ROOTKIT在硬盘上生成的新文件; 1) Documents 3 and 4 are generated ROOTKIT new file on the hard disk;

2) 文件1的内容在ROOTKIT侵入前是def,而受ROOTKIT侵入后被修改为abc。 SUMMARY OF 2) before the file 1 is ROOTKIT intrusion def, and the invasion by the modified after ROOTKIT as abc.

此时,需要将文件3和4删除,并将文件1的内容abc改为def就能把系统恢复成未被ROOTKIT破坏的系统,因此,检测工具22需用检测工具代理模块22'收集的文件1 (其内容为def)替换硬盘中的保存的文件1 (其内容为abc)、 3和4,即可清除未知ROOTKIT。 In this case, it is necessary to delete files 3 and 4, and the contents of the file 1 abc def to be able to restore the system to ROOTKIT system is not damaged, and therefore, the detection means 22 detection means proxy module 22 required 'file collection 1 (the contents of DEF) replace file stored in a hard disk (which reads abc), 3 and 4, to remove the unknown ROOTKIT. 恢复被ROOTKIT修改的系统API 接口地址与恢复被ROOTKIT修改的系统文件的过程相类似,在此不再举例说明。 Recovery ROOTKIT modified API interface address system and recovery system ROOTKIT modified file similar to the process, not illustrated here.

综上所述,依照本发明实施例1的清除ROOTKIT的系统,通过在硬件平台上运行VMM软件,然后在VMM上运行客户操作系统1以及服务操作系统2,并在服务操作系统2上设置检测工具22,在客户操作系统1中设置检测工具代理模块22,,用于收集直接在客户操作系统l上打开的信息,检测工具22,用于在虚拟机监视器3中直接收集客户操作系统1运行时打开的信息,并与检测工具代理模块22,中收集的信息相比较,显示出差异信息,从而可靠地检查出未知的ROOTKIT,然后,检测工具22针对差异信息,用检测工具代理模块22,收集的相应信息替代硬盘中实际被ROOTKIT修改的信息, 从而清除ROOTKIT。 In summary, the hardware platform running on the VMM software, and run the guest operating system 1 and operating system services on the VMM 2, and the operating system services provided on the second detecting remove ROOTKIT system of Example 1 according to the present embodiment of the invention, tool 22, in the guest operating system 1 is provided with detection means for collecting ,, proxy module 22 directly opening on the client operating system l information, detection means 22, for collecting the guest operating system in a virtual machine monitor directly 3 information open runtime, and the detection tool agent module 22, the information collected in comparison, shows the difference information to reliably detect unknown ROOTKIT, and then, detection means 22 for the difference information, a detection tool agent module 22 , substitute the appropriate information in the hard disk is actually collected ROOTKIT modified information, thereby removing ROOTKIT. 本发明的检测工具22运行于操作系统之外的VMM控制的内存区域,由于攻击操作系统的病毒及木马无法攻击到VMM上,因此, 检测工具以及原始系统文件参考模块不会受到攻击,安全性高。 Detection means 22 of the present invention to the operating system running on the VMM control memory area, since the operating system to attack viruses and Trojans can not attack to the VMM, therefore, detection means and the original file system with reference to the module will not be attacked, security high. 实施例2 Example 2

如图3所示,为本实施例的清除ROOTKIT的系统结构示意图。 As shown in FIG. 3, a schematic diagram of a system configuration according to the present ROOTKIT clear embodiment. 本实施例的清除ROOTKIT的系统与本发明实施例1的清除ROOTKIT的系统的结构大体相同,包括:至少一个客户操作系统1、服务操作系统2'、虛拟机监视器3。 Clear ROOTKIT embodiment of the system according to the present invention with substantially the same configuration of the system to clear ROOTKIT Example 1, comprising: at least a guest operating system, the operating system service 2 ', 3 virtual machine monitor. 不同之处在于,本实施例的服务操作系统2',包括检测工具22以及原始系统文件参照模块21。 Except that the service operating system embodiment of the present embodiment 2 ', comprising detection means 22 and with reference to the original file system module 21.

其中,原始系统文件参照模块21,用于在客户操作系统1最初运行时, 对初始系统信息(包括文件集、进程集、API接口地址以及相应的程序代码等信息)进行镜像或者备份。 Wherein, with reference to the original file system module 21, the operating system for the client 1 at initial operation, the initial system information (including the file set, the set of processes, the API interface address and the corresponding code information, etc.) or a secondary mirror. 其他单元与本发明实施例1中的结构和功能大体相同,在此不再复述。 Example 1 in substantially the same structural and functional unit of the present invention, other embodiments, not repeat it here.

此外,需要对客户操作系统1中最初运行时的系统信息进行镜像或备份的目的是:当检测到被ROOTKIT感染的系统文件和API接口时,依照检测工具代理模块22'中收集的未被ROOTKIT感染的原始信息,检测模块22用原始系统文件参照模块21中相应的初始系统信息替换硬盘保存的实际被ROOTKIT修改的信息,从而清除未知ROOTKIT。 Further purposes, the need for system information in a first guest operating system runtime that mirroring or backup: when detecting the API interface and a file system ROOTKIT infected, not in accordance with the detection means ROOTKIT collected by agent module 22 ' infection of the original information, the detection module 22 with reference to the original file system module 21 in the corresponding initial system information stored in the hard disk replace the actual information is modified ROOTKIT, thereby removing the unknown ROOTKIT.

具体的,当客户操作系统1最初运行时,原始系统文件参照模块21对初始系统信息进行镜像或者备份;检测工具22开始运行于虚拟机监视器3上, 用于在虚拟机监视器3中直接收集客户操作系统1运行时打开的文件集、进程集、API接口地址等信息,并与检测工具代理模块22'中收集的文件集、进程集、API接口地址等信息进行比较,如果发现某些文件或进程只存在于检测工具22收集的集合中,而检测工具代理模块22'中未收集到,则差异文件有可能是ROOTKIT;如果检测工具22收集的API接口地址与检测工具代理模块22,收集的API接口地址不一致时,则差异API接口地址为ROOTKIT 替换的API接口。 Specifically, when a first guest operating system is running, with reference to the original file system information 21 module performs initial system backup or mirror; detection means 22 runs on a virtual machine monitor 3 for virtual machine monitor directly 3 collecting information open run 1:00 client operating system file set, the set of processes, API interface IP address, and compared with information 'set of files collected in the process of collection, API interface address and other detection tools agent module 22, if you find some file or process exists only in the set of collected detection means 22 and the detection means proxy module 22 'are not collected, the difference file might be ROOTKIT; if detection means 22 collects API interface address detection means proxy module 22, inconsistent collected API interface address, the address of the interface API difference ROOTKIT alternative API interface. 此时,依照差异信息,检测工具22用原始系统文件参照模块21中保存的相应信息,替换硬盘保存的实际被ROOTKIT修改的信息(例如,系统文件、API接口地址及相应的程序代码等),从而清除未知的ROOTKIT。 At this time, in accordance with the difference information detection means 22 with reference to the corresponding original file system information stored in module 21, replacing the actual information stored in the hard disk (e.g., a file system, the API interface address and the corresponding code, etc.) are modified ROOTKIT, thereby clearing the unknown ROOTKIT. 以下,参照图4介绍本实施例的清除未知R00TKIT的方法,包括以下 Hereinafter, with reference to FIG. 4 describes the method of clearing unknown R00TKIT embodiment according to the present embodiment, comprising

步骤: step:

步骤201)服务操作系统2中原始系统文件参照模块21对客户操作系统1中初始系统信息进行镜像或备份; Step 201) service operating system 2 with reference to the original file system client module 21 operating system in an initial backup or mirror system information;

步骤202)服务操作系统2中检测工具22开始在虚拟机监视器3上运行, 并基于虚拟机监视器3收集用户在客户操作系统1中打开的文件集、进程集以及API接口地址等信息,并通知客户操作系统1中检测工具代理模块22, 收集用户在客户操作系统1中打开的文件集、进程集以及API接口地址等信 Step 202) service operating system 2 detects tool 22 starts to run on a virtual machine monitor 3, and the virtual machine monitor 3 based on the collected user client operating system to open a file set, the set of processes and API interface address and other information, and notify the client operating system detection tool proxy module 22, the user opens the collection letter in the guest operating system file set, the set of processes and address of the API interface

息5 Interest 5

步骤203)客户操作系统1中的检测工具代理模块22'将其收集的信息传输给服务操作系统2的捡测工具22; Step 203) a guest operating system in the proxy module detection means 22 'to transfer collected information to the service pick metrology tool 2 operating system 22;

步骤204)检测工具22将所述步骤202)中检测工具22收集的信息与步骤203)中检测工具代理模块22,收集的信息进行比较,判断是否存在差异信息(例如,差异文件、差异进程以及差异API接口地址等),如果不存在差异信息,则客户操作系统1中没有ROOTKIT,则向客户操作系统1提示后结束检查过程,否则,执行步骤205); Step 204) 22 detection means 22, the information collected in step 202), the detection means 22 and the information collected in step 203) the proxy module detection means, and determines whether there is difference information (e.g., a difference file, and processes the difference differences API interface address and the like), if the difference information does not exist, the guest operating system does not ROOTKIT 1, the checking process is ended after a guest operating system prompt, otherwise, step 205);

步骤205)针对差异信息,检测工具22用相应的在原始系统文件参照模块21中镜像或备份的初始系统信息替换硬盘保存的实际被ROOTKIT修改的信息(例如,系统文件、API接口以及相应的程序代码),从而清除未知的ROOTKIT 。 Step 205) for the difference information, detection means 22 with the appropriate information (e.g., system files, the API interface and a program in the actual original system file reference module original system image or backup 21 information replacement drive to save the modified ROOTKIT Code), thereby clearing the unknown ROOTKIT.

以下,结合一个具体的例子来说明本实施例的清除ROOTKIT的方法在实际系统中的应用: Hereinafter, in conjunction with a specific example to illustrate the application of the method according to the present embodiment clear ROOTKIT in an actual system:

服务操作系统2中的原始系统文件参照模块21对客户操作系统1在最初运行时的系统文件1和2进行镜像或备份得到文件l'和2';检测工具22在虚拟机监视器3上运行收集在客户操作系统1运行时打开的文件为1、 2、 3和4;客户操作系统1中检测工具代理模块22,收集用户在客户操作系统1打开的文件为1和2,且文件1的内容与检测工具22收集的文件1的内容有差异, 在检测工具22收集的文件1的内容是abc,而检测工具代理模块22'收集的文件l的内容是def。 Original service operating system file system module 21 of the second reference GOS file system 1 in the first run 1 and 2 give the backup files mirrored or l 'and 2'; detecting tool 22 running on a virtual machine monitor 3 collected in a guest operating system runs open files is 1, 2, 3, and 4; guest operating system in a detection tool agent module 22, collect the user in the client operating system 1 open files 1 and 2, and the document 1 content detection means 22 and the content files collected by a difference detection means 22 in the document collection content is an ABC, and the content detection means proxy module 22 'is collected in files l def. 上述收集过程说明: Collection process described above:

1) 文件3和4是ROOTKIT在硬盘上生成的新文件; 1) Documents 3 and 4 are generated ROOTKIT new file on the hard disk;

2) 文件1的内容在ROOTKIT侵入前是def,而受ROOTKIT侵入后被其改为abc。 SUMMARY OF 2) before the file 1 is ROOTKIT intrusion def, and after receiving its invasive ROOTKIT to abc.

此时,需要将文件3和4删除,并将文件1的内容abc改为def就能把系统恢复成未被ROOTKIT破坏的系统,因此,检测工具22需用原始系统文件参照模块21保存的文件1,(其内容为def)替换硬盘中的保存的文件1 (其内容为abc)、 3和4,即可清除未知ROOTKIT。 In this case, it is necessary to delete files 3 and 4, and the contents of the file 1 abc def to be able to restore the system to the system is not damaged ROOTKIT, therefore, required detection means 22 with reference to the original file saved file system module 21 1, (the contents of DEF) replace file stored in a hard disk (which reads abc), 3 and 4, to remove the unknown ROOTKIT. 恢复被ROOTKIT修改的系统API接口地址与恢复被ROOTKIT修改的系统文件的过程相类似,在此不再举例说明。 Recovery ROOTKIT modified API interface address system and recovery system ROOTKIT modified file similar to the process, not illustrated here.

在本实施例中,将原始系统文件参照模块21设置于服务操作系统2中是一种较佳方式,本发明并不局限于将原始系统文件参照模块21设置于服务操作系统2中,只要在客户操作系统1最初运行时,其完成对初始系统文件以及系统API接口地址等信息的镜像或备份即可。 In the present embodiment, with reference to the original file system module 21 is provided in a preferred embodiment 2 is the operating system service, the present invention is not limited with reference to the original file system service module 21 is disposed in the operating system 2, as long as the guest operating system initially running, mirroring or backup to its completion of the initial information system file system API interfaces and addresses and the like.

综上所述,依照本实施例的清除ROOTKIT的系统,通过在硬件平台上运行VMM软件,然后在VMM上运行客户操作系统1以及服务操作系统2', 在客户操作系统i中设置检测工具代理模块22',用于收集直接在客户操作系统l上打开的信息,并在服务操作系统2'上设置检测工具22,用于在虚拟机监视器3中直接收集客户操作系统1运行时打开的信息,并与检测工具代理模块22,中收集的信息相比较,显示出差异信息,从而可靠地检査出未知的ROOTKIT。 In summary, in accordance with the embodiment of the present embodiment clear ROOTKIT system, by running VMM software on the hardware platform, and then runs a guest operating system and the service operating system 2 ', the detection means is provided in the guest operating system i the agent on the VMM module 22 ', directly opened on the guest operating system for collecting l, 2 operating system and the service' is provided on the tool 22 is detected, for collecting the customer directly in the operating system, virtual machine monitor 3 an open runtime information detection means and the agent module 22, the information collected in comparison, shows the difference information to reliably detect unknown ROOTKIT. 通过增加原始系统文件参照模块21,保留初始系统信息,检测工具22针对差异信息,用原始系统文件参照模块21中收集的相应信息替代硬盘中实际被ROOTKIT修改的信息,从而清除ROOTKIT。 By increasing the original file with reference to the system module 21, to retain the original system information, difference information detection means 22 for, with reference to the original file system module information corresponding to the information collected in the hard disc 21. Alternatively actually modified ROOTKIT, thereby removing ROOTKIT. 本实施例的检测工具22以及原始系统文件参照模块21运行于操作系统之外的VMM控制的内存区域,由于攻击操作系统的病毒及木马无法攻击到VMM上,因此,检测工具22以及原始系统文件参考模块21,不会受到攻击,安全性高。 Detection means 22 of the present embodiment and the embodiment with reference to the original file system module 21 controls operation of memory region VMM in addition to the operating system, the operating system due to an attack viruses and Trojan horse attacks to the VMM can not, therefore, detection means 22 and the original file system reference module 21, will not be attacked, safe.

在上述本发明的实施例中,将检测工具代理模块设置于客户操作系统中只是一种较佳方式,本发明并不局限于将检测工具代理模块设置在客户操作系统中,检测工具代理模块可以通过各种其他方式实现,例如,当服务操作系统中的检测工具开始运行时,其通过自身复制,然后向客户操作系统中传输复制的检测工具作为检测工具代理模块,并在客户操作系统中运行并驻留该检测工具代理模块;或者服务操作系统中的检测工具向客户操作系统中传输检测工具代理模块,并在客户操作系统中运行并驻留检测工具代理模块, 由于文件复制及传输为现有技术,本发明不再复述。 In an embodiment of the present invention, the detection means disposed in the agent module guest operating system is only a preferred embodiment, the present invention is not limited to detection means disposed in the client agent module operating system, the detection module may tool agent in various other ways, for example, when the operating system detects the service tool starts running, by self-replicating, and then transmitted to the guest operating system as a detection means for detecting replication tool agent module and the operating system running on the client and the detection means resident agent module; operating system or service testing tool, and run detection means and resident in the client agent module operating system to the client operating system detection tool transfer agent module, since the transfer of the file copy and now prior art, the present invention is not repeat.

综上所述,依照本发明的清除ROOTKIT的系统及方法,在操作系统实时运行时,可以可靠地清除未知ROOTKIT,且本发明的检测工具以及原始系统文件参考模块运行于操作系统之外的VMM控制的服务操作系统内存区域,攻击操作系统安全软件的病毒及木马无法攻击到VMM以及服务操作系统,因此检测工具以及原始系统文件参考模块不会受到攻击,安全性高。 In summary, in accordance with the system and method of the present invention ROOTKIT clear, real-time operating system is running, it can be reliably cleared ROOTKIT unknown, and the detection means of the present invention and with reference to the original file system module to the operating system running on the VMM control services operating system memory area, attack the operating system and security software Trojan virus can not attack the VMM and service operating system, file system detection tools and original reference module will not be attacked, safe.

对该技术领域的普通技术人员来说,根据以上实施例可以联想到其他的优点和变形。 Of ordinary skill in the art, according to the above embodiment can be associated with additional advantages and modifications. 因此,本发明并不局限于上述具体实施例,其仅仅作为例子对本发明进行详细、示范性的说明。 Accordingly, the present invention is not limited to the specific embodiments described, which merely as an example of the present invention in detail, an exemplary description. 在不背离本发明宗旨的范围内,本领域普通技术人员可以根据上述具体实施例通过各种等同替换所得到的技术方案, 但是这些技术方案均应该包含在本发明的权利要求的范围及其等同的范围之内。 In the spirit of the present invention without departing from the scope of ordinary skill in the art based on the particular embodiments may be implemented by various techniques equivalents obtained, but these solutions are claimed in the present invention should be included in the scope of the claims and their equivalents within range.

Claims (8)

1.一种清除ROOTKIT的系统,其特征在于,包括虚拟机监视器(3),以及运行在虚拟机监视器(3)上的服务操作系统(2)和至少一个客户操作系统(1),其特征在于: 所述客户操作系统(1)包括检测工具代理模块(22'),用于在客户操作系统(1)运行时,收集客户操作系统(1)中的信息; 所述服务操作系统(2)包括检测工具(22); 所述检测工具(22),用于在虚拟机监视器(3)中收集客户操作系统(1)运行时的信息,并将收集的信息与所述检测工具代理模块(22')收集的信息相比较,判断是否存在ROOTKIT,并依照检测工具代理模块(22')中收集的信息,将被ROOTKIT修改的信息替换。 1. A method of removing ROOTKIT system, characterized by comprising a virtual machine monitor (3), and an operating system running the service (2) and at least one guest operating system (1) on a virtual machine monitor (3), characterized in that: said client operating system (1) comprises a proxy module detection means (22 ') for the guest operating system (1) is running, the client operating system to collect information (1); the service operating system (2) comprises detecting means (22); said detection means (22) for collecting customer information runtime operating system (3) in a virtual machine monitor (1), and the information gathered with the detection tool proxy module (22 ') comparing the collected information, it is determined whether there ROOTKIT, and agent module in accordance with the detection means (22' information) collected, ROOTKIT modified information will be replaced.
2. 如权利要求1所述的清除ROOTKIT的系统,其特征在于,所述服务操作系统(2)还包括原始系统文件参照模块(21),用于在客户操作系统(1) 最初运行时,保存初始系统信息。 2. Clear ROOTKIT system according to claim 1, wherein the service operating system (2) further comprises a reference to the original file system module (21) for the guest operating system (1) at initial operation, save the initial system information.
3. 如权利要求1所述的清除ROOTKIT的系统,其特征在于,所述检测工具(22)以及检测工具代理模块(22')收集的所述信息均为文件列表信息或者系统内存状态信息。 Clear ROOTKIT system according to claim 1, wherein said detection means (22) and a detection tool agent module (22 ') are collected by said information file list information or the system memory status information.
4. 如权利要求3所述的清除ROOTKIT的系统,其特征在于,所述系统内存状态信息为系统API接口地址信息及API对应的程序代码。 4. Clear ROOTKIT system according to claim 3, characterized in that the program code memory system API interface system status information and address information corresponding to the API.
5. —种清除ROOTKIT的方法,其特征在于,应用于一虚拟机监视器(3),所述虚拟机监视器(3)上运行一服务操作系统(2)和至少一个客户操作系统(1),包括以下步骤:步骤A)检测工具代理模块(22')收集用户在客户操作系统(1)中的#?自.步骤B)所述服务操作系统(2)包含有一检测工具(22),所述检测工具(22)收集客户操作系统(1)运行时的信息,并与检测工具代理模块(22') 收集的信息比较;步骤C)当比较结果为存在差异时,如果判定存在ROOTKIT,则依照检测工具代理模块(22,)收集的信息,将被ROOTKIT修改的信息替换,清除ROOTKIT。 5. - Clear ROOTKIT method, characterized in that, applied to a virtual machine monitor (3), running on (3) the virtual machine monitor a service operating system (2) and at least one guest operating system (1 ), comprising the following steps:? step a) detection tool proxy module (22 ') to collect user client operating system (# 1) from step B) the service operating system (2) comprises a detection means (22) the detection means (22) collected by the guest operating system (1) runtime information, and the agent module detection means (22 ') comparing the collected information; step C) when the comparison result is there is a difference, if determined that there ROOTKIT , the agent module in accordance with the detection means (22) information collected will be modified information ROOTKIT Alternatively, ROOTKIT clear.
6. 如权利要求5所述的清除ROOTKIT的方法,其特征在于,还包括以下步骤:服务操作系统(2)中原始系统文件参照模块(21)对客户操作系统(1) 中初始系统信息进行保存;针对差异信息,检测工具(22)用原始系统文件参照模块(21)中保存的初始系统信息替换硬盘保存的实际被ROOTKIT修改的信息。 6. Clear ROOTKIT method according to claim 5, characterized in that, further comprising the step of: service operating system (2) with reference to the original file system module (21) on the guest operating system (1) the initial system information save; for difference information detecting means (22) (21) stored in the initial system replacement information of the actual information stored in the hard disk ROOTKIT modified with reference to the original file system module.
7. 如权利要求5所述的清除ROOTKIT的方法,其特征在于,所述检测工具(22)以及检测工具代理模块(22')收集的所述信息均为文件列表信息或者系统内存状态信息。 7. Clear ROOTKIT method according to claim 5, wherein said detection means of said information (22) and a detection tool agent module (22 ') are collected in the file list information or the state information of the system memory.
8. 如权利要求7所述的清除ROOTKIT的方法,其特征在于,所述系统内存状态信息为API接口地址信息和API对应的程序代码。 8. The method according to remove ROOTKIT claimed in claim 7, wherein said system memory status information into the program code API interface and address information corresponding to the API.
CN 200610066816 2006-03-29 2006-03-29 System and method for removing ROOTKIT CN100596336C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610066816 CN100596336C (en) 2006-03-29 2006-03-29 System and method for removing ROOTKIT

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610066816 CN100596336C (en) 2006-03-29 2006-03-29 System and method for removing ROOTKIT

Publications (2)

Publication Number Publication Date
CN101046836A CN101046836A (en) 2007-10-03
CN100596336C true CN100596336C (en) 2010-03-31

Family

ID=38771440

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610066816 CN100596336C (en) 2006-03-29 2006-03-29 System and method for removing ROOTKIT

Country Status (1)

Country Link
CN (1) CN100596336C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102523215A (en) * 2011-12-15 2012-06-27 北京海云捷迅科技有限公司 Virtual machine (VM) online antivirus system based on KVM virtualization platform

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100504904C (en) 2007-12-25 2009-06-24 北京大学 Windows concealed malevolence software detection method
CN101359351B (en) 2008-09-25 2010-11-10 中国人民解放军信息工程大学 Multilayer semantic annotation and detection method against malignancy
CN102122330B (en) * 2011-01-24 2014-12-03 中国人民解放军国防科学技术大学 'In-VM' malicious code detection system based on virtual machine
CN103150508B (en) * 2013-03-08 2015-10-21 北京理工大学 Identification based rootkit behavior of multi-dimensional view of the cross
CN104050413A (en) * 2013-03-13 2014-09-17 腾讯科技(深圳)有限公司 Method for data processing and terminal
CN103902902A (en) * 2013-10-24 2014-07-02 哈尔滨安天科技股份有限公司 Rootkit detection method and system based on embedded system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1314638A (en) 2001-04-29 2001-09-26 北京瑞星科技股份有限公司 Method, system and medium for detecting and clearing known and anknown computer virus
CN1656732A (en) 2002-05-23 2005-08-17 赛门铁克公司 Metamorphic computer virus detection
CN1743990A (en) 2005-08-12 2006-03-08 珠海金山软件股份有限公司 Transplatform virus detecting and killing method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1314638A (en) 2001-04-29 2001-09-26 北京瑞星科技股份有限公司 Method, system and medium for detecting and clearing known and anknown computer virus
CN1656732A (en) 2002-05-23 2005-08-17 赛门铁克公司 Metamorphic computer virus detection
CN1743990A (en) 2005-08-12 2006-03-08 珠海金山软件股份有限公司 Transplatform virus detecting and killing method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102523215A (en) * 2011-12-15 2012-06-27 北京海云捷迅科技有限公司 Virtual machine (VM) online antivirus system based on KVM virtualization platform
CN102523215B (en) 2011-12-15 2014-10-01 北京海云捷迅科技有限公司 Virtual Machine online antivirus system kvm virtualization platform based on

Also Published As

Publication number Publication date
CN101046836A (en) 2007-10-03

Similar Documents

Publication Publication Date Title
Yin et al. Panorama: capturing system-wide information flow for malware detection and analysis
US7509679B2 (en) Method, system and computer program product for security in a global computer network transaction
CN1794131B (en) Computer security management, such as virtual machine or a hardened operating system
CN101361077B (en) Method for preventing malicious software installation on an internet-connected computer and computer
US9396333B1 (en) Thin client for computer security applications
JP5011436B2 (en) Method and apparatus for detecting malicious behavior of a computer program
US7540027B2 (en) Method/system to speed up antivirus scans using a journal file system
Jiang et al. Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction
CN100533334C (en) Method of improving computer security through sandboxing
US20060294592A1 (en) Automated rootkit detector
US8387139B2 (en) Thread scanning and patching to disable injected malware threats
US8756693B2 (en) Malware target recognition
US10331888B1 (en) System and methods for run time detection and correction of memory corruption
US8719935B2 (en) Mitigating false positives in malware detection
Wang et al. Detecting stealth software with strider ghostbuster
JP5510550B2 (en) Hardware trust anchor
US20070079178A1 (en) Discovery of kernel rootkits by detecting hidden information
RU2472215C1 (en) Method of detecting unknown programs by load process emulation
CN101809540B (en) Network context triggers for activating virtualized computer applications
JP6370747B2 (en) System and method for virtual machine monitor-based anti-malware security
US7581253B2 (en) Secure storage tracking for anti-virus speed-up
JP5586216B2 (en) Real-time computer protection system and method according context aware
US8307443B2 (en) Securing anti-virus software with virtualization
US20080320594A1 (en) Malware Detector
US7627898B2 (en) Method and system for detecting infection of an operating system

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted