Under resident module is the ability of computer programs , program parts in the volatile main memory of a computer behind and relaunch it to anchor or operating system to integrate components. In addition to useful programs and the operating system itself, it is often viruses and worms that use this technology. In general, memory residency is only used when the associated program ends at least formally after it has been anchored . For processes that remain active, memory residency is inevitable and is generally not specifically mentioned.
These left behind program parts can be activated
- when the currently running application program calls a particular service of the operating system in the memory-resident program has previously latched (sometimes is the resident program of the corresponding operating system part);
- if a hardware - interrupt interrupts the currently running application program, and the memory-resident program previously in the interrupt service handler has latched (see Scheduler ).
The last variant can be used to reactivate the memory-resident program, for example using a key combination or a (hardware) system clock interrupt. This creates an impression of simultaneity, although only one program is active at a time (see multitasking ).
Certain parts of an operating system are necessarily memory resident (must not on the hard drive outsourced are), these are mainly kernel and disk driver .
In the early years of computer technology it was difficult or even impossible to run several processes in parallel . With MS-DOS , one made do with the fact that programs were not terminated “normally” via interrupt 21h, which removed them from the memory, but rather via interrupt 27h, which left program residues in the main memory (→ TSR program ). The first applications for such programs were the system clock, screen and keyboard drivers.
Parts of the operating system are memory resident.
The operating systems themselves install many such programs, some of which can be viewed via a task manager . These include, for example, printer or scanner drivers, but also software for using the Braille display or various small auxiliary programs. In most cases, memory-resident programs provide functions that are required at an indefinite point in time. In most cases, the user does not care about these programs.
How viruses work
In most cases, the infection goes unnoticed. Once the virus is in memory, it no longer needs the infection program; a single call is sufficient. The virus itself spreads it further.
An infection is triggered by the start of an infected file that has reached the computer via a data carrier or network. The virus usually first copies itself to as many places as possible on all drives on the computer or network. No malicious code is executed, this increase should happen as unnoticed as possible. The infected host programs continue to run largely unchanged if the virus is programmed correctly. Through this spread, the virus tries to keep the probability as high as possible that it will be active again the next time the computer is started.
Stealth viruses are a further development of the memory- resident viruses, they try to actively hide their identity.
Places of infection
CPUs segment the main memory hierarchically (see ring (CPU) ). The strength of residence of a virus depends on which ring it is in. The higher the hierarchy level of its memory area, the more difficult it is to remove the virus.
Virus attacks have also been carried out on the cache memory of chipsets . There it is extremely difficult to remove the virus, since operating systems generally do not give the user any power of disposal over the cache of a chipset.
Protection against in-memory viruses
Memory-resident viruses can only spread using infected files. If an infection has already taken place, the removal can result in significant data loss. Modern and up-to-date anti-virus software protects largely automatically against malicious memory-resident programs.