Rootkits are programs that use system hooking or modification to hide files, processes, registry keys, and other objects in order to hide malicious behaviors. Malicious programmers seek to develop rootkits that are difficult to detect and remove. One particularly difficult rootkit to detect is a rootkit hidden in a System Management Mode (“SMM”) region of a computing device. Such rootkits are referred to as SMM rootkits.
An SMM rootkit may access SMM memory space, which may be referred to as System Management Random Access Memory (“SMRAM”), to install a malicious System Management Interrupt (“SMI”) handler. The SMM rootkit may make SMRAM visible for reading and writing and may then write the SMI handler to the SMRAM. An SMI handler may operate as a chipset-level keylogger and a network backdoor. As such, an SMI handler may be able to steal sensitive information from an infected computer. SMM rootkits may also be programmed to perform various other malicious behaviors.
After installing the SMM handler, the rootkit may lock the SMRAM, which may make the SMRAM invisible from non-SMM processor modes. Thus, the malicious SMI handler may be difficult to detect and remove. What is needed, therefore, is an effective mechanism for defending against and detecting SMM rootkits.