Detection of malicious invocation of application program interface calls
First Claim
Patent Images
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the processor to:
- receive, by a kernel driver executed by the at least one processor, an application program interface (API) call, wherein the kernel driver is included within a kernel space;
extract, with the kernel driver, metadata from the API call;
determine, with the kernel driver, that the API call should be hooked based on the extracted metadata;
hook, with the kernel driver, the API call;
communicate the API call and the extracted metadata to a security module, wherein the security module determines if the API call should be allowed or denied; and
allow the API call if a response from the security module is not received after a predetermined amount of time has passed from when the API call and the extracted metadata was communicated to the security module.
11 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that includes a binder kernel driver. The binder kernel driver can be configured to receive an application program interface (API) call, extract metadata from the API call, determine that the API call should be hooked based on the extracted metadata, and hook the API call.
44 Citations
19 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the processor to:
-
receive, by a kernel driver executed by the at least one processor, an application program interface (API) call, wherein the kernel driver is included within a kernel space; extract, with the kernel driver, metadata from the API call; determine, with the kernel driver, that the API call should be hooked based on the extracted metadata; hook, with the kernel driver, the API call; communicate the API call and the extracted metadata to a security module, wherein the security module determines if the API call should be allowed or denied; and allow the API call if a response from the security module is not received after a predetermined amount of time has passed from when the API call and the extracted metadata was communicated to the security module. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
a hardware processor configured to execute a kernel driver, wherein the kernel driver is configured to; receive an application program interface (API) call, wherein the kernel driver is included within a kernel space; extract metadata from the API call; determine that the API call should be hooked based on the extracted metadata; hook the API call; communicate the API call and the extracted metadata to a security module, wherein the security module determines if the API call should be allowed or denied; and allow the API call if a response from the security module is not received after a predetermined amount of time has passed from when the API call and the extracted metadata was communicated to the security module. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
receiving an application program interface (API) call at a kernel driver, wherein the kernel driver is included within a kernel space; extracting metadata from the API call with the kernel driver; determining, with the kernel driver, that the API call should be hooked based on the extracted metadata; hooking, with the kernel driver, the API call; communicate the API call and the extracted metadata to a security module, wherein the security module determines if the API call should be allowed or denied; and allow the API call if a response from the security module is not received after a predetermined amount of time has passed from when the API call and the extracted metadata was communicated to the security module. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A system for detecting and mitigating malicious invocation of sensitive code, the system comprising:
-
a hardware processor configured to execute a binder kernel driver, wherein the binder kernel driver is configured to; receive an application program interface (API) call, wherein the binder kernel driver is included within a kernel space; extract metadata from the API call; determine that the API call should be hooked based on the extracted metadata; hook the API call; communicate the API call and the extracted metadata to a security module, wherein the security module determines if the API call should be allowed or denied; and allow the API call if a response from the security module is not received after a predetermined amount of time has passed from when the API call and the extracted metadata was communicated to the security module. - View Dependent Claims (19)
-
Specification