Identification of malicious execution of a process
First Claim
Patent Images
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
- intercept a process;
determine that the process involves a privileged resource or a privileged operation;
store execution profiling for the process;
analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds;
determine an origin of the code involved in each stack frame;
determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame;
persist data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and
trigger a security violation based on a determination that the code is not trusted.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.
-
Citations
14 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, cause the at least one processor to:
-
intercept a process; determine that the process involves a privileged resource or a privileged operation; store execution profiling for the process; analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds; determine an origin of the code involved in each stack frame; determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame; persist data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and trigger a security violation based on a determination that the code is not trusted. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
memory; a hardware processor configured to; intercept a process; determine that the process involves a privileged resource or a privileged operation; store execution profiling for the process; analyze code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds; determine an origin of the code involved in each stack frame; determine whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame; persist data between sessions based on the determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and trigger a security violation based on a determination that the code is not trusted. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
intercepting a process; determining that the process involves a privileged resource or a privileged operation; storing execution profiling for the process in memory; analyzing, using a hardware processor, code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is analyzed as it unwinds; determining an origin of the code involved in each stack frame; determining whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame; persisting data between sessions based on the determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and triggering a security violation based on the determination that the code is not trusted. - View Dependent Claims (12, 13)
-
-
14. A system for identification of malicious execution of a process, the system comprising:
-
memory; a hardware processor configured for; intercepting a process; determining that the process involves a privileged resource or a privileged operation; storing execution profiling for the process; analyzing code involved in each stack frame for the process to determine malicious activity and whether the process involves a privileged resource or a privileged operation, wherein each stack frame is examined as it unwinds; determining an origin of the code involved in each stack frame; determining whether the code involved in each stack frame is trusted, wherein the code is not trusted if the code resides in memory that is writeable or if the code resides in memory that is part of the stack frame; persisting data between sessions based on a determination that the code is trusted, wherein persisting data between sessions includes persisting at least a portion of the data in a protected region of memory; and triggering a security violation based on a determination that the code is not trusted.
-
Specification