Basic methods of detecting malware in application software, which have been developed and are presently used, rely on:                1) detecting facts of hiding programs, files, processes, kernel modules by checking for such objects at various levels of an operating system (OS);        2) detecting features of earlier registered malware, in particular, sequences of executed code bytes, lines and constants typical to malware;        3) checking integrity of the executable kernel code in random-access memory.        
Rootkit Profiler LX is a conventional application software package for detecting malware [1].
Rootkit Profiler LX checks:                1) addresses of the system call table, interrupt table, system call handler, interrupt handler;        2) the system call code, interrupt handler code;        3) pointers in structures of Virtual File System (VFS).        
Therefore, said known tool has a deficiency in that it does not provide for the integrity check of the entire kernel code, or for the dynamic check of execution of the kernel code, so interceptions in OS data structures, as well as interceptions and code modifications in the kernel (except for virtual file system structures) cannot be detected.
Another conventional method for detecting malware [2] that is implemented in a computer with an operating system, according to one embodiment, comprises the steps of:
setting a break point when a user application makes a system call requesting to modify a data structure of the loaded operating system;
checking the data structure of the loaded operating system by performing the steps of:                determining an address of a command, which has made modifications to the data structure, in the computer random-access memory;        checking whether the command address belongs to a normal range of addresses of the operating system in the random-access memory;        identifying presence of malware if the command address does not belong to the normal range of addresses.        
In this context, the term “data structure” refers to tables of executed processes (including user applications) generated by the operating system, links to the system registry and files, etc.
Prior to implementing the method, read and write access is provided to random-access memory areas having the loaded OS kernel and kernel modules therein, and the operating system is downloaded into the computer. The method can be implemented in computers running a general-purpose operating system, such as Unix, Linux, Microsoft Windows, etc.
The method can be directly implemented using the following preliminarily created application software:
kernel debugger facilities operative to obtain data from data structures generated by the operating system by setting a break point;
an integrity checker operative to determine whether the data obtained by the kernel debugger facilities when the break point has been set contains inconsistencies typical to malware;
a detection module for coordinating the obtained data generated by the operating system, and for providing data to the integrity checker.
These software tools are not unique and can be created by a skilled person (programmer) familiar with the functions executed by the tools.
The latter known method is the most relevant prior art for the present invention.
However, said known method has a drawback of low probability of malware detection, since actions can be monitored only when an OS data structure is modified. Therefore, the known method is unable to detect malware directly in the OS kernel and kernel modules.