Method and system for the detection of file system filter driver based rootkits

摘要

A method, system, and computer program product for detecting hidden files and folders that may be installed by or as part of a rootkit provides the capability to identify the method that is used to hide the files and folders, will continue working even if the operating system is modified, and is suitable for real-time detection of hidden files and folders. A method for detecting a rootkit comprises the steps of generating a plurality of query input/output request packets, each query input/output request packet requesting information relating to a file system directory folder, transmitting a generated query input/output request packet to each file system driver object, receiving a result including the requested information relating to a file system directory folder from each file system driver object, and determining differences among each result, to determine information relating to a file system directory folder that is removed by at least one file system driver object.