With Internet use forming an ever greater part of day to day life, security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments and businesses devote significant resources to preventing intrusions and thefts related to these security exploits. Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. These exploits are delivered in or through a number of mechanisms, such as spearfish emails, clickable links, documents, executables, or archives. Some of the threats posed by security exploits are of such significance that they are described as cyber terrorism or industrial espionage.
To compromise security software or to gain control of a computing device regardless of the presence of security software, security exploits are often designed to launch early in a boot phase of a computing device. A security exploit may accomplish this by modifying a driver initialization order used by an operating system during the boot phase to place a driver associated with the security exploit first in a list of drivers initialized by the operating system. When initialized, the security exploit driver may launch the security exploit.
Also, security software may monitor the loading of drivers by an operating system kernel, which may notify the security software when drivers are loaded. In some operating systems, however, some drivers, referred to as “boot drivers,” may be loaded by a boot loader, and those operating systems may not notify the security software of the loading of the boot drivers. Thus, a security exploit posing as a boot driver that is loaded by a boot loader during a boot phase may escape detection by security software.