The accompanying drawings, which are included to provide a further understanding of the invention, are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the principle of the invention. In the drawings:
Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings.
Hereinafter, a system and method for detecting a hidden process using system event information according to an embodiment of the present invention.
Referring to
The kernel layer monitoring module 100 includes a file monitoring module 110, a registry monitoring module 120 and a network monitoring module 130 in order to monitor system event information provided from a kernel layer. The file monitoring module 110 monitors a file system at a kernel layer. The registry monitoring module 120 monitors registries accessed at the kernel layer, and the network monitoring module 130 monitors a network in real-time.
Since system information is allocated to execute a process in a kernel layer, information related to a hidden process is shown in the kernel layer.
The file monitoring module 110 is a module finding file system event information by monitoring a file system at a kernel layer in real-time. The file monitoring module 110 monitors file system event information such as which processes access a predetermined file, which file is accessed by a predetermined process, and what kind of event makes a process to access a file. The file system event information outputted from the file monitoring module 110 are the name of a process accessing a predetermined file, a time for accessing a predetermined file, a file request event such as Query information, Open or Close, a path for accessing a predetermined file and a result of accessing a predetermined file such as success or fail to access the file. The file system event information outputted from the file monitoring module 110 is provided to the kernel layer process list detecting module 200.
The registry monitoring module 120 is a module that monitors registries accessed at a kernel layer in real-time. The registry monitoring module 120 detects which process requests predetermined registry event information and which registry event information is requested by a predetermined process. The registry even information outputted from the registry monitoring module 120 are the name of a process accessing a predetermined registry, a time for accessing a predetermined registry, a registry request even such as Openkey and CloseKey, a patch for accessing a registry, and a result of accessing a registry such as success or fail to access the registry. The registry monitoring module 120 provides the registry even information to the kernel layer process list detecting module 200.
The network monitoring module 130 detects network event information by monitoring a network in real-time. The network monitoring module 130 monitors information in real-time, such as which process receives or transmits a predetermined packet, what packet is transmitted or received, and which port is used to transmit and receive a predetermined packet. The network event information outputted from the network monitoring module 130 is the name of a process accessing a network, a time for generating a network packet, a transmitter address, a receiver address, a transmitter port, a receiver port, the length of a packet, a checksum, a TTL value and fragmentation information. The network monitoring module 130 provides the network event information to the kernel layer process list detecting module 200.
The kernel layer monitoring module 100 may include a system event information filtering module 140 for monitoring the system event information of a system kernel layer.
The system event information filtering module 140 excludes a predetermined event and a predetermined process from objects of monitoring system event information at a kernel layer. That is, the system event information filter module 140 reduces the objects of monitoring the system event information in order to increase the performance of the hidden process detecting system.
The kernel layer process list detecting module 200 extracts a list of processes accessing an event from the system event information provided from the kernel layer monitoring module 100. The system event information includes file event information obtained by the file monitoring module 110, registry event information obtained by the registry monitoring module 120 and network event information obtained by the network monitoring module 130. The process list extracted from the kernel layer process list detecting module 200 may include a file access process, a registry access process and a network access process.
The application layer process list detecting module 300 detects process list information provided to a user from an application layer. Generally, the standard of the process list information is process information that is provided to a user from an application layer through Win32 API. In case of Windows system, the process list information is process list information provided through a task manager.
The kernel layer process list, which is detected from the kernel layer process list detecting module 200, and the application layer process list, which is detected from the application layer process list detecting module 300, are transferred to the hidden process detecting module 400.
The hidden process detecting module 400 finds a hidden process by comparing the kernel layer process list and the application layer process list.
The information about the hidden process is not shown at the application layer but it is opened in the kernel layer to receive resources for executing related processes.
Therefore, if a process is present only at the kernel layer and not in the application layer, the process is determined as a hidden process.
However, if the kernel layer process list and the application layer process list are identical, the process executed in the system is determined as a normal process.
The hidden process removing module 500 terminates or removes the hidden process if the hidden process detecting module 400 detects the hidden processes.
The hidden process removing module 400 processes the hidden process according to the user's decision.
Referring to
Although the operation for detecting the hidden process may begin by a begin instruction inputted from the user, it is preferable that the operation for detecting the hidden process is continuously performed while the system is operating in order to detect the hidden process in real-time.
After the operation for detecting the hidden process begins at step S210, an operation for monitoring a kernel layer and an operation for detecting an application layer process list are performed at steps S220 and S230.
At the kernel layer monitoring step S220, the system event information is extracted by monitoring the kernel layer of the system.
In the kernel layer monitoring step S220, file event information is extracted by monitoring a file system at step S221, registry event information is extracted by monitoring registries at step S222, and network event information is extracted by monitoring a network at step S223.
The system event information extracted in the kernel layer monitoring step S220 is provided for detecting a kernel layer process list at step S240.
At the kernel layer process list detecting step S240, a kernel layer process list, which is a list of processes accessing an event, is extracted from the system event information. The extracted kernel layer process list is provided for comparing a kernel layer process list and an application layer process list at step S250.
At the application layer process list detecting step S230, information of a process list provided to a user from an application layer is detected and provided for comparing a kernel layer process list and an application layer process list at step S250.
At the process list comparing step S250, it determines whether the kernel layer process list and the application layer process list are identical or not by comparing the kernel layer process list and the application layer process list.
If the kernel layer process list and the application layer process list are identical, the processes are determined as normal processes at step S260.
If the kernel layer process list and the application layer process list are not identical, processes, which are present only in the kernel layer process list but not in the application layer, are determined as hidden processes at step S270.
The determined hidden processes are processed according to the user's decision. If the user wants to delete the detected hidden processes, the hidden processes are removed from the system at step S280.
As described above, the system and method for detecting the hidden process according to the present invention can protect the user's system from the hidden process by detecting the hidden process in real-time using system event information provided from the kernel layer.
Also, the system and method for detecting the hidden process according to the present invention can detect and remove the hidden process using event information generated at the system even if the hidden process is in the idle state. Furthermore, the system and method for detecting the hidden process according to the present invention can detect the hidden process at the moment the hidden process is executed because real-time event information is used to detect the hidden process.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention. Thus, it is intended that the present invention covers the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.
Number | Date | Country | Kind |
---|---|---|---|
2006-55951 | Jun 2006 | KR | national |