System and method to mitigate malicious calls
First Claim
1. At least one non-transitory, computer-readable medium comprising one or more instructions that, when executed by a processor, cause the processor to execute a method comprising:
- hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library;
inspecting, by a module of a predetermined program, a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine;
ignoring an execution of the APC, if the page is not a part of the predetermined program; and
calling an application programming interface function to continue an execution of the predetermined program, if the page is not a part of the predetermined program, wherein the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.
21 Citations
17 Claims
-
1. At least one non-transitory, computer-readable medium comprising one or more instructions that, when executed by a processor, cause the processor to execute a method comprising:
-
hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library; inspecting, by a module of a predetermined program, a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine; ignoring an execution of the APC, if the page is not a part of the predetermined program; and calling an application programming interface function to continue an execution of the predetermined program, if the page is not a part of the predetermined program, wherein the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library; inspecting, by a processor chip executing a module of a predetermined program, a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine; ignoring an execution of the APC, if the page is not part of the predetermined program; and calling an application programming interface function to continue an execution of the predetermined program, if the page is not part of the predetermined program, wherein the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus, comprising:
-
a processor chip configured to hook a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library, to inspect, with a module of a predetermined program, a parameter of the APC dispatcher function, and to verify a page that would be executed as an APC routine, wherein the processor chip is further configured to ignore an execution of the APC, if the page is not a part of the predetermined program, and to call an application programming interface function to continue an execution of the predetermined program, if the page is not a part of the predetermined program, and the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification