Malicious code, known as malware, which includes viruses, worms, adware, etc., may attack core components of the operating system to compromise key applications, including critical applications that operate in the operating system kernel, such as security, firewall and anti-virus agents. One concern is that malware may attack page tables maintained by the operating system to perform address translation for critical security applications. The malware may modify the references in the page table to point to pages of the malware code that when invoked by the security agent performs malicious operations.
FIG. 1, panel 2 shows that prior to the attack, the critical agent, e.g., security or anti-virus application, references good pages of critical agent code. Panel 4 shows that prior to the attack the malware application page tables reference malicious pages of malicious malware code. Panel 6 shows that after the attack, the critical agent's page tables are modified to point to malicious pages. By referencing the malware page as shown in panels 6 and 8, address translation for the critical agent may cause the critical agent to execute the malware code in malicious page 1, panel 8. The executed malware code may provide the malware access to critical agent data structures to allow the malware to orchestrate a malicious attack on the system.