Detection and mitigation of malicious invocation of sensitive code
First Claim
Patent Images
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:
- monitor regions of code that include Application Program Interface (API) code pages;
detect an execution fault of a page load on the monitored API code pages;
determine whether the execution fault occurred at a proper entry point of the API; and
clear, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API.
2 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only. The code pages can be remapped as execute only in an alternate extended page table view.
14 Citations
25 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:
-
monitor regions of code that include Application Program Interface (API) code pages; detect an execution fault of a page load on the monitored API code pages; determine whether the execution fault occurred at a proper entry point of the API; and clear, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
memory; and a hardware processor, the hardware processor configured to; monitor regions of code that include Application Program Interface (API) code pages; detect an execution fault of a page load on the monitored API code pages; determine whether the execution fault occurred at a proper entry point of the API; and clear, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
monitoring regions of code that include Application Program Interface (API) code pages; detecting an execution fault of a page load on the monitored API code pages; determining whether the execution fault occurred at a proper entry point of the API; and clearing, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A system for detecting and mitigating malicious invocation of sensitive code, the system comprising:
-
memory; and a hardware processor, the hardware processor configured for; monitoring regions of code that include Application Program Interface (API) code pages; detecting an execution fault of a page load on the monitored API code pages; determining whether the execution fault occurred at a proper entry point of the API; and clearing, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API. - View Dependent Claims (25)
-
Specification