FIELD: information technology.
SUBSTANCE: method is realised on a computer with an operating system (OS) installed thereon, and involves establishing a point of interrupt when a system call is made by a user application requesting the transfer of control via an address in the kernel of the loaded OS, checking the data structure of the loaded OS by performing the following: determining the address of the instruction in the computer memory, which will be handed over control during a system call; checking affiliation addresses of commands executed during the system call to the normal range addresses the kernel and modules of operating system kernel in memory; detecting the presence of malicious software in the absence of affiliation of the instruction address to the normal range of addresses.
EFFECT: high efficiency of detecting malware by enabling detection of illegal interception and alteration of the code in the kernel and in the OS kernel modules that are to be loaded.
| Title | Year | Author | Number |
|---|---|---|---|
| METHOD FOR CODE PERFORMANCE IN HYPERVISOR MODE | 2015 |
|
RU2609761C1 |
| METHOD OF INVOKING SYSTEM FUNCTIONS IN CONDITIONS OF USE OF AGENTS FOR PROTECTING OPERATING SYSTEM KERNEL | 2014 |
|
RU2585978C2 |
| METHOD OF CREATING A SYSTEM CALL HANDLER | 2014 |
|
RU2596577C2 |
| SYSTEM AND METHOD OF DETECTING THE HARMFUL CODE IN THE ADDRESS PROCESS SPACE | 2017 |
|
RU2665910C1 |
| SYSTEM AND METHOD OF DETECTING MALICIOUS SCRIPT | 2017 |
|
RU2659738C1 |
| METHOD OF DETECTING UNKNOWN PROGRAMS BY LOAD PROCESS EMULATION | 2011 |
|
RU2472215C1 |
| SYSTEM AND METHOD OF DETECTING MALICIOUS CODE IN FILE | 2016 |
|
RU2637997C1 |
| SYSTEM AND METHOD OF ASSESSMENT OF HARMFULLNESS OF CODE EXECUTED IN ADDRESSING SPACE OF CONFIDENTIAL PROCESS | 2013 |
|
RU2531861C1 |
| METHOD OF EMULATING SYSTEM FUNCTION CALLS FOR EVADING EMULATION COUNTERMEASURES | 2012 |
|
RU2514141C1 |
| METHOD OF CREATING ANTIVIRUS RECORD WHEN DETECTING MALICIOUS CODE IN RANDOM-ACCESS MEMORY | 2015 |
|
RU2592383C1 |
