Method to detect application execution hijacking using memory protection
First Claim
1. An electronic device, comprising:
- one or more hardware processors; and
a non-transitory computer-readable storage medium communicatively coupled to the one or more hardware processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more hardware processors, performs operations comprising;
identifying a loaded module,applying a protection mechanism to an element of the loaded module so as to establish a protected region, wherein the element of the loaded module is one of a base address of the loaded module, an import table of the loaded module or a process environment block of the loaded module,determining whether an access source is attempting to access the protected region,determining whether the access source is from the heap, anddetermining the access source is malicious based on determining the access source is attempting to access the protected region and is from the heap.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a system comprising a dynamic analysis server comprising one or more virtual machines is disclosed, wherein the one or more virtual machines may be configured to execute certain event logic with respect to a loaded module. The virtual machines may be communicatively coupled to a virtual machine manager and a database; and rule-matching logic comprising detection logic, wherein the detection logic is configured to determine (1) whether an access source is attempting to access a protected region such as a page guarded area; and (2) determine whether the access source is from the heap. The system further comprises reporting logic that is configured to generate an alert so as to notify a user and/or network administrator of a probable application-execution hijacking attack.
723 Citations
20 Claims
-
1. An electronic device, comprising:
-
one or more hardware processors; and a non-transitory computer-readable storage medium communicatively coupled to the one or more hardware processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more hardware processors, performs operations comprising; identifying a loaded module, applying a protection mechanism to an element of the loaded module so as to establish a protected region, wherein the element of the loaded module is one of a base address of the loaded module, an import table of the loaded module or a process environment block of the loaded module, determining whether an access source is attempting to access the protected region, determining whether the access source is from the heap, and determining the access source is malicious based on determining the access source is attempting to access the protected region and is from the heap. - View Dependent Claims (2, 3, 4, 5, 7, 10, 11, 16, 17)
-
-
6. An electronic device, comprising:
-
one or more hardware processors; and a non-transitory computer-readable storage medium communicatively coupled to the one or more hardware processors, the non-transitory computer-readable storage medium having stored thereon logic that, upon execution by the one or more hardware processors, performs operations comprising; identifying a loaded module, applying a protection mechanism to an import table of the loaded module so as to establish a protected region, determining whether an access source is attempting to access the protected region, determining whether the access source is from the heap, determining whether the access source is from the loaded module and accessing its own import address table, and determining the access source is malicious based on determining the access source is (i) attempting to access the protected region, (ii) from the heap, and (iii) accessing its own import address table. - View Dependent Claims (8)
-
-
9. A system comprising:
-
a dynamic analysis server comprising one or more hardware processors, a non-transitory computer-readable storage medium and one or more virtual machines that are configured to execute event logic with respect to a loaded module, wherein the one or more virtual machines are communicatively coupled to a virtual machine manager and a database; rule-matching logic comprising detection logic configured to be executable by the one or more hardware processors to determine whether (1) an access source is attempting to access a protected region, and (2) the access source is from the heap; and reporting logic comprising alert generating logic that is configured to generate an alert so as to notify a user or a network administrator of a probable application-execution hijacking attack. - View Dependent Claims (12, 13, 14)
-
-
15. A system comprising:
a mobile device configured to execute a malware detection application thereon, the detection application comprising; exploit detection logic configured to execute certain event logic with respect to a loaded module; rule-matching logic comprising detection logic configured to determine whether an access source is attempting to access a protected region and determine whether the access source is from the heap; reporting logic comprising alert generating logic that is configured to generate an alert; and user interface logic that is configured to notify a user or a network administrator of a probable application-execution hijacking attack. - View Dependent Claims (18, 19, 20)
Specification