MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALL-BACK MECHANISM

摘要

The present invention relates to an automatic malware analysis method using a kernel callback mechanism, in your computer's loading time If the process is generated or a function to register the neck of the internal driver in the kernel function that calls a callback PsSetCreateProcessNotifyRoutine (Callback) function, the process is removed, returns the process according to the generated event and the end of the process (return) receiving process monitor drivers; A function that exists inside the driver load time to register a callback function to call a function inside CmRegisterCallback for registry access and monitoring, return the registry to receive event registry monitor driver; File Monitor driver to register itself in the Filter Manager kernel drivers to get mini filter driver returns a file-related input events in the windows system exists; Events and processes, registry events and output events kernel drivers and applications to conduct the event collector stored in the shared memory area defined by only a selected group of monitored data receiving process is the pre-set via shared memory that can be accessed at the same time; includes. ;