1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to a method for scanning the memory of a computer system for viruses.
2. Description of the Related Art
Windows® NT and Windows® 2000 are 32-bit operating systems widely used on home and business computer systems. As such, virus writers are continually working to develop viruses that can attack and exploit these operating systems.
Windows® NT and Windows® 2000 provide page-based virtual memory management schemes that permit programs to realize a 4 GB (gigabyte) virtual memory address space. When the computer system processor is running in virtual memory mode, all addresses are assumed to be virtual addresses and are translated, or mapped, to physical addresses in main memory each time the processor executes a new instruction to access memory.
Conventionally, the 4 GB virtual memory address space is divided into two parts: a lower 2 GB user address space, also referred to as user mode address space or ring 3, available for use by a program; and, a high 2 GB system address space, also referred to as kernel address space or ring 0, reserved for use by the operating system.
To protect the integrity of the operating system code and other kernel address space code and data structures from errant or malicious programs and to provide efficient system security (user rights management), Windows® NT and Windows® 2000 separate code executing in the user address space, e.g., user mode, from code executing in the kernel address space, e.g., kernel mode. User mode code typically does not have direct access to kernel mode code and has restricted access to computer system resources and hardware. To utilize kernel mode code functionalities, such as access to disk drives and network connections, user mode programs utilize system calls that interface between the user mode and kernel mode functions.
In Windows® NT and Windows® 2000, memory is divided into equal portions termed pages. For example, on 32-bit Intel architectures, also known as IA32, pages are 4 KB in size, whereas Windows® 2000 on an Alpha CPU would use 8 KB pages. Use of memory pages, for example, read accesses, is controlled by control flags assigned to each page of memory. Pages that are read accessible by a program or driver, such as for scanning, are flagged valid and those that are not read accessible are flagged invalid, such as when a program does not have access rights or when a driver has been unloaded from memory.
In Windows® NT and Windows® 2000, a user mode program typically has read/write access to pages of memory accessed from the user address space. Whereas, kernel mode programs, such as kernel mode drivers, have read/write access to pages of memory accessed from the kernel address space and the user address space.
In the user address space, if a user mode application attempts a read access to an invalid page of memory, an exception, e.g., a page fault, is generated by the operating system. Typically, the exception is handled by an exception handler to prevent a crash of the operating system. However, in the kernel address space, exception handlers are not used to handle exceptions, such as page faults. Consequently, if a kernel mode application or driver attempts a read access to an invalid page of memory, an exception is generated by the operating system, and the operating system crashes on purpose.
Currently, the majority of Windows® viruses are loaded into user address space and implemented in the user mode. Anti-virus programs in the prior art typically ran in the user mode to detect computer viruses in the user address space. Recently, however, some newly emerged viruses are implemented as drivers in the kernel address space, e.g., a kernel mode driver virus. For example, WNT.Infis.4608 was implemented as a kernel mode driver virus under Windows® NT and a minor variant of this virus was developed for Windows® 2000. As the virus is run in the kernel mode, it is essentially undetectable in memory by anti-virus programs that implement memory scanning in the user mode.