Method to detect application execution hijacking using memory protection

US 10,210,329 B1
Filed: 09/30/2015
Issued: 02/19/2019
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. An electronic device, comprising:

one or more hardware processors; and

a non-transitory computer-readable storage medium communicatively coupled to the one or more hardware processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more hardware processors, performs operations comprising;

identifying a loaded module,applying a protection mechanism to an element of the loaded module so as to establish a protected region, wherein the element of the loaded module is one of a base address of the loaded module, an import table of the loaded module or a process environment block of the loaded module,determining whether an access source is attempting to access the protected region,determining whether the access source is from the heap, anddetermining the access source is malicious based on determining the access source is attempting to access the protected region and is from the heap.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system comprising a dynamic analysis server comprising one or more virtual machines is disclosed, wherein the one or more virtual machines may be configured to execute certain event logic with respect to a loaded module. The virtual machines may be communicatively coupled to a virtual machine manager and a database; and rule-matching logic comprising detection logic, wherein the detection logic is configured to determine (1) whether an access source is attempting to access a protected region such as a page guarded area; and (2) determine whether the access source is from the heap. The system further comprises reporting logic that is configured to generate an alert so as to notify a user and/or network administrator of a probable application-execution hijacking attack.

723 Citations

20 Claims

1. An electronic device, comprising:
- one or more hardware processors; and
  
  a non-transitory computer-readable storage medium communicatively coupled to the one or more hardware processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more hardware processors, performs operations comprising;
  
  identifying a loaded module,applying a protection mechanism to an element of the loaded module so as to establish a protected region, wherein the element of the loaded module is one of a base address of the loaded module, an import table of the loaded module or a process environment block of the loaded module,determining whether an access source is attempting to access the protected region,determining whether the access source is from the heap, anddetermining the access source is malicious based on determining the access source is attempting to access the protected region and is from the heap.
- View Dependent Claims (2, 3, 4, 5, 7, 10, 11, 16, 17)
- - 2. The electronic device of claim 1, wherein the execution by the one or more hardware processors performs operations further comprising generating an alert so as to notify a user or a network administrator of a probable application-execution hijacking attack.
  - 3. The electronic device of claim 1, wherein the execution by the one or more processors performs operations further comprising terminating the loaded module so as to prevent an application-execution hijacking attack.
  - 4. The electronic device of claim 1, wherein the execution by the one or more processors performs operations further comprising generating a log file.
  - 5. The electronic device of claim 1, wherein the loaded module includes executable code.
  - 7. The electronic device of claim 5, wherein the loaded module comprises one or more dynamic-link libraries (DLLs) that provide a scripting environment to applications.
  - 10. The system of claim 7, further comprising process handling logic that is configured to terminate a potentially malicious loaded module.
  - 11. The system of claim 7, wherein the detection logic is configured to determine whether a protected page is being accessed, and whether the access source is from the heap.
  - 16. The system of claim 11, wherein the exploit detection logic is configured to terminate the loaded module.
  - 17. The system of claim 11, wherein the exploit detection logic is configured to generate an alert.

6. An electronic device, comprising:
- one or more hardware processors; and
  
  a non-transitory computer-readable storage medium communicatively coupled to the one or more hardware processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more hardware processors, performs operations comprising;
  
  identifying a loaded module,applying a protection mechanism to an import table of the loaded module so as to establish a protected region,determining whether an access source is attempting to access the protected region,determining whether the access source is from the heap,determining whether the access source is from the loaded module and accessing its own import address table, anddetermining the access source is malicious based on determining the access source is (i) attempting to access the protected region, (ii) from the heap, and (iii) accessing its own import address table.
- View Dependent Claims (8)
- - 8. The electronic device of claim 6, wherein the loaded module includes executable code.

9. A system comprising:
- a dynamic analysis server comprising one or more hardware processors, a non-transitory computer-readable storage medium and one or more virtual machines that are configured to execute event logic with respect to a loaded module, wherein the one or more virtual machines are communicatively coupled to a virtual machine manager and a database;
  
  rule-matching logic comprising detection logic configured to be executable by the one or more hardware processors to determine whether (1) an access source is attempting to access a protected region, and (2) the access source is from the heap; and
  
  reporting logic comprising alert generating logic that is configured to generate an alert so as to notify a user or a network administrator of a probable application-execution hijacking attack.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 9, wherein the detection logic is configured to determine whether the loaded module is accessing its own import table.
  - 13. The system of claim 9, wherein the loaded module includes executable code.
  - 14. The system of claim 9, wherein further comprising dynamic-link library (DLL)/kernel logic that modularizes a software program into separate components.

15. A system comprising:
- a mobile device configured to execute a malware detection application thereon, the detection application comprising;
  
  exploit detection logic configured to execute certain event logic with respect to a loaded module;
  
  rule-matching logic comprising detection logic configured to determine whether an access source is attempting to access a protected region and determine whether the access source is from the heap;
  
  reporting logic comprising alert generating logic that is configured to generate an alert; and
  
  user interface logic that is configured to notify a user or a network administrator of a probable application-execution hijacking attack.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 15, further comprising process handling logic that is configured to terminate a potentially malicious loaded module.
  - 19. The system of claim 15, wherein the loaded module includes executable code.
  - 20. The system of claim 15, wherein further comprising dynamic-link library (DLL)/kernel logic that modularizes a software program into separate components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Malik, Amit, Pande, Reghav, Jain, Aakash
Primary Examiner(s)
Shaw, Brian F

Application Number

US14/871,987
Time in Patent Office

1,238 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04W 12/128   Anti-malware arrangements, ...

Method to detect application execution hijacking using memory protection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

723 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method to detect application execution hijacking using memory protection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

723 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links