System and method to mitigate malicious calls

US 10,204,223 B2
Filed: 09/18/2017
Issued: 02/12/2019
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory, computer-readable medium comprising one or more instructions that, when executed by a processor, cause the processor to execute a method comprising:

hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library;

inspecting, by a module of a predetermined program, a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine;

ignoring an execution of the APC, if the page is not a part of the predetermined program; and

calling an application programming interface function to continue an execution of the predetermined program, if the page is not a part of the predetermined program, wherein the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.

21 Citations

17 Claims

1. At least one non-transitory, computer-readable medium comprising one or more instructions that, when executed by a processor, cause the processor to execute a method comprising:
- hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library;
  
  inspecting, by a module of a predetermined program, a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine;
  
  ignoring an execution of the APC, if the page is not a part of the predetermined program; and
  
  calling an application programming interface function to continue an execution of the predetermined program, if the page is not a part of the predetermined program, wherein the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The at least one computer-readable medium of claim 1, wherein the ignoring and calling are performed, if the page is not part of a dynamic-link library of the predetermined program or part of an executable of the predetermined program, or the APC points to code that differs from a file image corresponding to an address in memory.
  - 3. The at least one computer-readable medium of claim 1, wherein the APC dispatcher function is KiUserApcDispatcher.
  - 4. The at least one computer-readable medium of claim 1, wherein the application programming interface function is NtContinue.
  - 5. The at least one computer-readable medium of claim 1, the method further comprising:
    - logging a heuristics message to a system log about the APC.
  - 6. The at least one computer-readable medium of claim 5, the method further comprising:
    - sending the heuristics message to a server through a network.

7. A method, comprising:
- hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library;
  
  inspecting, by a processor chip executing a module of a predetermined program, a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine;
  
  ignoring an execution of the APC, if the page is not part of the predetermined program; and
  
  calling an application programming interface function to continue an execution of the predetermined program, if the page is not part of the predetermined program, wherein the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the ignoring and calling are performed, if the page is not part of a dynamic-link library of the predetermined program or part of an executable of the predetermined program, or the APC points to code that differs from a file image corresponding to an address in memory.
  - 9. The method of claim 7, wherein the APC dispatcher function is KiUserApcDispatcher.
  - 10. The method of claim 7, wherein the application programming interface function is NtContinue.
  - 11. The method of claim 7, further comprising:
    - logging a heuristics message to a system log about the APC.

12. An apparatus, comprising:
- a processor chip configured to hook a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library, to inspect, with a module of a predetermined program, a parameter of the APC dispatcher function, and to verify a page that would be executed as an APC routine, whereinthe processor chip is further configured to ignore an execution of the APC, if the page is not a part of the predetermined program, and to call an application programming interface function to continue an execution of the predetermined program, if the page is not a part of the predetermined program, and the execution of the predetermined program includes implementing a scan for a root kit and cleaning the root kit from a system.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus of claim 12, wherein the processor chip is further configured to ignore the execution of the APC and call the application programming interface function, if the page is not part of a dynamic-link library of the predetermined program or part of an executable of the predetermined program, or the APC points to code that differs from a file image corresponding to an address in memory.
  - 14. The apparatus of claim 12, wherein the APC dispatcher function is KiUserApcDispatcher.
  - 15. The apparatus of claim 12, wherein the application programming interface function is NtContinue.
  - 16. The apparatus of claim 12, wherein the processor chip is further configured to log a heuristics message to a system log about the APC.
  - 17. The apparatus of claim 16, wherein the apparatus is configured to send the heuristics message to a server through a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
M2M and IoT Technologies LLC
Original Assignee
McAfee, LLC
Inventors
Szor, Peter, Mathur, Rachit
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US15/708,003
Publication Number

US 20180004951A1
Time in Patent Office

512 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

System and method to mitigate malicious calls

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to mitigate malicious calls

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links