1. Field of the Invention
The present invention relates generally to computer antivirus, and more particularly but not exclusively to detection and removal of kernel rootkits.
2. Description of the Background Art
Rootkits comprise computer-readable program code designed to conceal running processes, files, or system data. Rootkits may be used to surreptitiously modify parts of the operating system or install themselves as drivers or kernel modules. Increasingly, rootkits are being used by virus coders as malicious code or part of malicious code. Kernel rootkits, also known as “kernel-mode rootkits,” are especially difficult to detect because they patch the operating system kernel to prevent common file and registry scans from detecting them. Even when kernel rootkits are detected by behavior-monitoring, they are still difficult to remove because they usually modify corresponding kernel application programming interface (API) to prevent any application program from removing them. What is needed is an effective technique that allows for detection and removal of kernel rootkits.