Code injection technique for remediation at an endpoint of a network
First Claim
Patent Images
1. A method comprising:
- receiving an object at an endpoint on a network,determining, by a virtual machine monitor, at least whether the object is suspicious as including possible malware configured to attempt a modification of one or more kernel resources;
instantiating, by the virtual machine monitor, a virtual machine as a container including an operating system process executing contents of the object, the operating system process to access one or more kernel resources;
monitoring one or more operations of the operating system process included in the virtual machine as the operating system process accesses the one or more kernel resources of the endpoint; and
injecting code into a portion of memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of the one or more kernel resources accessed by the operating system process by restoring an original state of the one or more kernel resources without terminating the operating system process.
7 Assignments
0 Petitions
Accused Products
Abstract
A technique injects code into a suspicious process containing malware executing on a node to enable remediation at the node. Illustratively, the technique may inject code into the suspicious process during instrumentation of the malware in a micro-virtual machine (VM) to monitor malicious behavior and to enable remediation of that behavior at a node embodied as an endpoint. According to the technique, code may be injected into the suspicious process during instrumentation in the micro-VM of the endpoint to restore states of kernel resources (e.g., memory) that may be infected (i.e., altered) by behavior (actions) of the malware.
-
Citations
32 Claims
-
1. A method comprising:
-
receiving an object at an endpoint on a network, determining, by a virtual machine monitor, at least whether the object is suspicious as including possible malware configured to attempt a modification of one or more kernel resources; instantiating, by the virtual machine monitor, a virtual machine as a container including an operating system process executing contents of the object, the operating system process to access one or more kernel resources; monitoring one or more operations of the operating system process included in the virtual machine as the operating system process accesses the one or more kernel resources of the endpoint; and injecting code into a portion of memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of the one or more kernel resources accessed by the operating system process by restoring an original state of the one or more kernel resources without terminating the operating system process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method to remediate malware, included as part of an object, that is infecting an endpoint, the method comprising:
-
determining, by a virtual machine monitor, at least whether the object is suspicious as possibly including malware configured to attempt a modification of one or more kernel resources; instantiating, by the virtual machine monitor, a virtual machine to process an operating system process configured to execute contents of an object that include possible malware, the operating system process having instructions for a version of an application vulnerable to the malware; monitoring one or more operations of the operating system process included in the virtual machine as the operating system process accesses one or more kernel resources; and injecting code into a portion of memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of at least one of the one or more kernel resources accessed by the operating system process by at least restoring an original state of the at least one of the one or more kernel resources without terminating the operating system process. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
a network interface connected to a network; a memory coupled to the network interface and configured to store an object, a module, a virtual machine monitor and a virtual machine; and a central processing unit (CPU) coupled to the memory and adapted to execute the module, virtual machine monitor and virtual machine, wherein the module and virtual machine monitor are configured to; determine, by the virtual machine monitor, at least whether the object is suspicious as including possible malware configured to attempt a modification of one or more kernel resources, instantiate, by the virtual machine monitor, the virtual machine as a container to include an operating system process executing contents of the object, the operating system process to access one or more kernel resources, monitor one or more operations of the operating system process included in the virtual machine as the operating system process accesses one or more kernel resources, and inject code into a portion of the memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of the one or more kernel resources accessed by the operating system process by restoring an original state of the one or more kernel resources without terminating the operating system process. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification