Detection and mitigation of malicious invocation of sensitive code

US 10,366,228 B2
Filed: 01/31/2018
Issued: 07/30/2019
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:

monitor regions of code that include Application Program Interface (API) code pages;

detect an execution fault of a page load on the monitored API code pages;

determine whether the execution fault occurred at a proper entry point of the API; and

clear, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only. The code pages can be remapped as execute only in an alternate extended page table view.

14 Citations

25 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:
- monitor regions of code that include Application Program Interface (API) code pages;
  
  detect an execution fault of a page load on the monitored API code pages;
  
  determine whether the execution fault occurred at a proper entry point of the API; and
  
  clear, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - identify, based on a determination that the execution fault occurred at the proper entry point of the API, the execution as a valid API attempt.
  - 3. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - capture indirect virtual addressing branches and returns for the code pages.
  - 4. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - handle execution faults on the code pages with a virtualized exception handler.
  - 5. The at least one non-transitory computer-readable medium of claim 1, wherein the code pages are remapped as execute only in an alternate extended page table view.
  - 6. The at least one non-transitory computer-readable medium of claim 5, wherein the execution fault is an extended page table fault.
  - 7. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - inspect context information related to the execution fault to determine if an entry point for the API execution request is valid.
  - 8. The at least one non-transitory computer-readable medium of claim 1, further comprising one or more instructions that when executed by the processor:
    - determine a stack offset; and
      
      map the entry offset to the stack offset.

9. An apparatus comprising:
- memory; and
  
  a hardware processor, the hardware processor configured to;
  
  monitor regions of code that include Application Program Interface (API) code pages;
  
  detect an execution fault of a page load on the monitored API code pages;
  
  determine whether the execution fault occurred at a proper entry point of the API; and
  
  clear, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the hardware processor is further configured to:
    - identify, based on a determination that the execution fault occurred at the proper entry point of the API, the execution as a valid API attempt.
  - 11. The apparatus of claim 9, wherein the hardware processor is further configured to:
    - capture indirect virtual addressing branches and returns for the code pages.
  - 12. The apparatus of claim 9, wherein the hardware processor is further configured to:
    - handle execution faults on the code pages with a virtualized exception handler.
  - 13. The apparatus of claim 9, wherein the code pages are remapped as execute only in an alternate extended page table view.
  - 14. The apparatus of claim 13, wherein the execution fault is an extended page table fault.
  - 15. The apparatus of claim 9, wherein the hardware processor is further configured to:
    - inspect context information related to the execution fault to determine if an entry point for the API execution request is valid.
  - 16. The apparatus of claim 9, wherein the hardware processor is further configured to:
    - determine a stack offset; and
      
      map the entry offset to the stack offset.

17. A method comprising:
- monitoring regions of code that include Application Program Interface (API) code pages;
  
  detecting an execution fault of a page load on the monitored API code pages;
  
  determining whether the execution fault occurred at a proper entry point of the API; and
  
  clearing, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further comprising:
    - identifying, based on a determination that the execution fault occurred at the proper entry point of the API, the execution as a valid API attempt.
  - 19. The method of claim 17, further comprising:
    - capturing indirect virtual addressing branches and returns for the code pages.
  - 20. The method of claim 17, further comprising:
    - handling execution faults on the code pages with a virtualized exception handler.
  - 21. The method of claim 17, wherein the code pages are remapped as execute only in an alternate extended page table view.
  - 22. The method of claim 21, wherein the execution fault is an extended page table fault.
  - 23. The method of claim 17, further comprising:
    - inspecting context information related to the execution fault to determine if an entry point for the API execution request is valid.

24. A system for detecting and mitigating malicious invocation of sensitive code, the system comprising:
- memory; and
  
  a hardware processor, the hardware processor configured for;
  
  monitoring regions of code that include Application Program Interface (API) code pages;
  
  detecting an execution fault of a page load on the monitored API code pages;
  
  determining whether the execution fault occurred at a proper entry point of the API; and
  
  clearing, based on a determination that the execution fault did not occur at the proper entry point of the API, a last exception record address and calculate an offset from the entry point of the API.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein the hardware processor is further configured for:
    - identifying, based on a determination that the execution fault occurred at the proper entry point of the API, the execution as a valid API attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Sahita, Ravi, Deng, Lu, Shanbhogue, Vedvyas, Lu, Lixin, Shepsen, Alexander, Tatourian, Igor
Primary Examiner(s)
Parsons, Theodore C

Application Number

US15/885,371
Publication Number

US 20180157829A1
Time in Patent Office

545 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/10   Address translation

G06F 12/1009   using page tables, e.g. pag...

G06F 12/14   Protection against unauthor...

G06F 12/1441   for a range

G06F 12/145   the protection being virtua...

G06F 12/1458   by checking the subject acc...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

Detection and mitigation of malicious invocation of sensitive code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and mitigation of malicious invocation of sensitive code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links