Code injection technique for remediation at an endpoint of a network

US 10,474,813 B1
Filed: 10/23/2015
Issued: 11/12/2019
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an object at an endpoint on a network,determining, by a virtual machine monitor, at least whether the object is suspicious as including possible malware configured to attempt a modification of one or more kernel resources;

instantiating, by the virtual machine monitor, a virtual machine as a container including an operating system process executing contents of the object, the operating system process to access one or more kernel resources;

monitoring one or more operations of the operating system process included in the virtual machine as the operating system process accesses the one or more kernel resources of the endpoint; and

injecting code into a portion of memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of the one or more kernel resources accessed by the operating system process by restoring an original state of the one or more kernel resources without terminating the operating system process.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique injects code into a suspicious process containing malware executing on a node to enable remediation at the node. Illustratively, the technique may inject code into the suspicious process during instrumentation of the malware in a micro-virtual machine (VM) to monitor malicious behavior and to enable remediation of that behavior at a node embodied as an endpoint. According to the technique, code may be injected into the suspicious process during instrumentation in the micro-VM of the endpoint to restore states of kernel resources (e.g., memory) that may be infected (i.e., altered) by behavior (actions) of the malware.

Citations

32 Claims

1. A method comprising:
- receiving an object at an endpoint on a network,determining, by a virtual machine monitor, at least whether the object is suspicious as including possible malware configured to attempt a modification of one or more kernel resources;
  
  instantiating, by the virtual machine monitor, a virtual machine as a container including an operating system process executing contents of the object, the operating system process to access one or more kernel resources;
  
  monitoring one or more operations of the operating system process included in the virtual machine as the operating system process accesses the one or more kernel resources of the endpoint; and
  
  injecting code into a portion of memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of the one or more kernel resources accessed by the operating system process by restoring an original state of the one or more kernel resources without terminating the operating system process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the injected code executes in the portion of the memory associated with the address space of the operating system process to effect the remediation of the one or more kernel resources.
  - 3. The method of claim 1 wherein the injecting of the code comprises:
    - overwriting the object in the portion of the memory, and wherein the one or more kernel resources include locations in the portions of the memory storing the object.
  - 4. The method of claim 1 further comprising:
    - capturing the original state of the one or more kernel resources prior to the operating system process accessing the one or more kernel resources; and
      
      executing the injected code to restore the modification of the one or more kernel resources to the original state.
  - 5. The method of claim 1 wherein a message having the injected code is received via the network at the endpoint, the message instructing the endpoint to restore the one or more kernel resources.
  - 6. The method of claim 1 wherein the modification to the one or more kernel resources is prevented by the injected code, thereby thwarting the attempted modification of the one or more kernel resources by the object.
  - 7. The method of claim 1 wherein the operating system process includes instructions for a version of an application having known malware in the object, the application stored in a file unpatched to prevent the modification of the one or more kernel resources.
  - 8. The method of claim 1 wherein a virtual machine monitor injects the code into the operating system process in response to a capability violation of a protection domain associated with the operating system process.
  - 9. The method of claim 1 wherein an original flow of execution of the operating system process is restored without altering the logic of the software instructions of the operating system process.
  - 10. The method of claim 1 wherein the instantiating of the virtual machine as the container comprises creating an instance from another virtual machine that is substantially similar to the VM, but includes different instrumentation logic.
  - 11. The method of claim 10 wherein the injecting of the code comprises:
    - overwriting the object in the portion of memory, and wherein the one or more kernel resources include locations in the portions of the memory storing the object.
  - 12. The method of claim 1, wherein the determining that the operating system process is suspicious includes conducting a static analysis on the object, the static analysis includes one or more non-behavioral analyses of the object in order to detect, without execution of the object, anomalous characteristics associated with the object.

13. A method to remediate malware, included as part of an object, that is infecting an endpoint, the method comprising:
- determining, by a virtual machine monitor, at least whether the object is suspicious as possibly including malware configured to attempt a modification of one or more kernel resources;
  
  instantiating, by the virtual machine monitor, a virtual machine to process an operating system process configured to execute contents of an object that include possible malware, the operating system process having instructions for a version of an application vulnerable to the malware;
  
  monitoring one or more operations of the operating system process included in the virtual machine as the operating system process accesses one or more kernel resources; and
  
  injecting code into a portion of memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of at least one of the one or more kernel resources accessed by the operating system process by at least restoring an original state of the at least one of the one or more kernel resources without terminating the operating system process.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13 wherein the injected code executes in the portion of the memory associated with the address space of the operating system process to effect the remediation of the at least one of the one or more kernel resources.
  - 15. The method of claim 13 further comprising:
    - capturing the original state of the one or more kernel resources prior to the operating system process accessing the one or more kernel resources; and
      
      executing the injected code to restore the modification of the at least one of the one or more kernel resources to the original state.
  - 16. The method of claim 13 wherein a message having the injected code is received via a network at the endpoint, the message instructing the endpoint to restore the modification of the at least one kernel resource of the one or more kernel resources.
  - 17. The method of claim 13 wherein the modification to the at least one of the one or more kernel resources is prevented by the injected code, thereby thwarting the modification of the at least one of the one or more kernel resources by the object.
  - 18. The method of claim 13 wherein the operating system process includes instructions for the version of the application vulnerable to the known malware, the application being stored in a file unpatched from preventing the attempted modification of the one or more kernel resources.
  - 19. The method of claim 13 wherein the virtual machine monitor injects the code into the operating system process in response to a capability violation of a protection domain associated with the operating system process.
  - 20. The method of claim 13 wherein an original flow of execution of the operating system process is restored without terminating the operating system process.
  - 21. The method of claim 13, wherein the determining that the operating system process is suspicious includes conducting a static analysis on the object, the static analysis includes one or more non-behavioral analyses of the object in order to detect, without execution of the object, anomalous characteristics associated with the object.

22. A system comprising:
- a network interface connected to a network;
  
  a memory coupled to the network interface and configured to store an object, a module, a virtual machine monitor and a virtual machine; and
  
  a central processing unit (CPU) coupled to the memory and adapted to execute the module, virtual machine monitor and virtual machine, wherein the module and virtual machine monitor are configured to;
  
  determine, by the virtual machine monitor, at least whether the object is suspicious as including possible malware configured to attempt a modification of one or more kernel resources,instantiate, by the virtual machine monitor, the virtual machine as a container to include an operating system process executing contents of the object, the operating system process to access one or more kernel resources,monitor one or more operations of the operating system process included in the virtual machine as the operating system process accesses one or more kernel resources, andinject code into a portion of the memory associated with an address space of the operating system process during instrumentation of the virtual machine, the injected code being configured to remediate the modification of the one or more kernel resources accessed by the operating system process by restoring an original state of the one or more kernel resources without terminating the operating system process.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The system of claim 22 wherein the injected code executes in the portion of the memory associated with the address space of the operating system process to effect the remediation of the one or more kernel resources.
  - 24. The system of claim 22 wherein the injected code overwrites the object in the portion of the memory, and wherein the one or more kernel resources include locations in the portion of the memory storing the object.
  - 25. The system of claim 22 wherein the module and the virtual machine monitor are further configured to:
    - capture the original state of the one or more kernel resources prior to the operating system process accessing the one or more kernel resources; and
      
      execute the injected code to restore the modification of the one or more kernel resources to the original state.
  - 26. The system of claim 22 wherein a message having the injected code is received via the network at the system from a cloud service, the message instructing the system to restore the one or more kernel resources.
  - 27. The system of claim 22 wherein the modification to the one or more kernel resources is prevented by the injected code, thereby thwarting the modification of the one or more kernel resources by the object.
  - 28. The system of claim 22 wherein the operating system process includes instructions for a version of an application having known malware in the object, the application stored in a file unpatched to prevent attempted modification of the one or more kernel resources by the malware.
  - 29. The system of claim 22 wherein the virtual machine monitor injects the code into the operating system process in response to a capability violation of a protection domain associated with the operating system process.
  - 30. The system of claim 22 wherein an original flow of execution of the operating system process is restored without altering the logic of the software instructions of the operating system process.
  - 31. The system of claim 26 wherein the message includes instructions relative to a beginning of execution of the operating process to inject the code.
  - 32. The system of claim 22, wherein the CPU determining that the operating system process is suspicious by at least conducting a static analysis on the object, the static analysis includes one or more non-behavioral analyses of the object in order to detect, without execution of the object, anomalous characteristics associated with the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Ismael, Osman Abdoul
Primary Examiner(s)
Doan, Trang T

Application Number

US14/921,672
Time in Patent Office

1,481 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/145   the attack involving the pr...

Code injection technique for remediation at an endpoint of a network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Code injection technique for remediation at an endpoint of a network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links