MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM
In a malware auto-analysis method using a kernel callback mechanism, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, is registered by a process monitor driver as a callback function when a computer boot. A function present in a registry monitor driver is reg...
Saved in:
Main Authors | , , |
---|---|
Format | Patent |
Language | English |
Published |
29.03.2012
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | In a malware auto-analysis method using a kernel callback mechanism, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, is registered by a process monitor driver as a callback function when a computer boot. A function present in a registry monitor driver is registered by the registry monitor driver as a callback function in a CmRegisterCallback function when the driver is loaded. A kernel driver is registered by a file monitor driver as a mini-filter driver in a Filter Manager present in a Windows system. At least one of a process event, a registry event, or an Input/Output (I/O) event is received by a behavior event collector from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively. |
---|---|
Bibliography: | Application Number: US20100942700 |