Systems and methods of protecting data from injected malware

US 10,614,210 B2
Filed: 07/29/2016
Issued: 04/07/2020
Est. Priority Date: 07/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method of detecting injected malware, the method comprising:

monitoring, by a virtual memory validator injected into a process executing in a user mode memory space on a computing device, an execution stack of an executing thread of the process;

identifying, by the virtual memory validator on the user mode memory space, a memory address referenced in the execution stack, responsive to the process from the user mode memory space attempting to access a protected resource in a kernel mode memory space;

determining, by the virtual memory validator, that the memory address attempted to be accessed from the user mode memory space refers to a memory region that is designated as executable in the kernel mode memory space;

determining, by the virtual memory validator, that the memory address is outside memory regions identified in a memory range map that specifies memory addresses for a plurality of validated processes including the process; and

identifying, by the virtual memory validator responsive to the determination that the memory address refers to the memory region that is designated as executable in the kernel mode memory space and to the determination that the memory address is outside the memory regions identified in the memory range map, the process as a potential malware process.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.

9 Citations

20 Claims

1. A method of detecting injected malware, the method comprising:
- monitoring, by a virtual memory validator injected into a process executing in a user mode memory space on a computing device, an execution stack of an executing thread of the process;
  
  identifying, by the virtual memory validator on the user mode memory space, a memory address referenced in the execution stack, responsive to the process from the user mode memory space attempting to access a protected resource in a kernel mode memory space;
  
  determining, by the virtual memory validator, that the memory address attempted to be accessed from the user mode memory space refers to a memory region that is designated as executable in the kernel mode memory space;
  
  determining, by the virtual memory validator, that the memory address is outside memory regions identified in a memory range map that specifies memory addresses for a plurality of validated processes including the process; and
  
  identifying, by the virtual memory validator responsive to the determination that the memory address refers to the memory region that is designated as executable in the kernel mode memory space and to the determination that the memory address is outside the memory regions identified in the memory range map, the process as a potential malware process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising receiving, by the virtual memory validator, from an action examiner operating in a kernel mode memory space on the computing device, a request to determine whether the process comprises a potential malware process.
  - 3. The method of claim 1, further comprising injecting, by an action examiner operating on the kernel mode memory space on the computing device, the virtual memory validator as a thread or executable module into the process.
  - 4. The method of claim 1, further comprising traversing, by the virtual memory validator, the execution stack of the executing thread to identify each memory address referenced in the execution stack.
  - 5. The method of claim 1, wherein monitoring the execution stack comprises monitoring the execution stack of the executing thread, wherein the executing thread executes in user mode memory space on the computing device.
  - 6. The method of claim 1, further comprising checking, by an action examiner operating on a kernel mode memory space on the computing device, the process against a list of approved processes, responsive to the process attempting to access the protected resource.
  - 7. The method of claim 1, further comprising:
    - determining, by the virtual memory validator, that a second memory address referenced in the execution stack refers to a memory region identified in the memory range map; and
      
      determining, by the virtual memory validator, whether the identified memory region belongs to a legitimate executable module.
  - 8. The method of claim 6, wherein determining that the second memory address refers to a memory region identified in the memory range map further comprises determining that the identified in the memory range map is designated as executable.
  - 9. The method of claim 1, further comprising:
    - identifying, by the virtual memory validator, that second memory address referenced in the execution stack points to an executable module; and
      
      determining, by the virtual memory validator, whether the executable module comprises a legitimate executable module.
  - 10. The method of claim 1, comprising suspending, according to a rule engine of an action examiner, the executing thread responsive to identifying that the process is a potential malware process.

11. A system for detecting injected malware, the system comprising:
- memory space on a computing device, comprising a user mode memory space and a kernel mode memory space; and
  
  a virtual memory validator injected into a process executing in the user mode memory space, the virtual memory validator configured to;
  
  monitor an execution stack of an executing thread of the process executing in the user mode memory space;
  
  identify a memory address referenced in the execution stack, responsive to the process from the user mode memory space attempting to access a protected resource of the kernel mode memory space;
  
  determine that the memory address refers to a memory region attempted to be accessed from the user mode memory space that is designated as executable in the kernel mode memory space;
  
  determine that the memory address is outside memory regions identified in a memory range map that specifies memory addresses for a plurality of validated processes including the process; and
  
  identify, responsive to the determination that the memory address refers to the memory region that is designated as executable in the kernel mode memory space and to the determination that the memory address is outside the memory regions identified in the memory range map, the process as a potential malware process.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the virtual memory validator is further configured to receive, from an action examiner operating in the kernel mode memory space, a request to determine whether the process comprises a potential malware process.
  - 13. The system of claim 11, further comprising an action examiner operating in the kernel mode memory space, configured to inject the virtual memory validator as a thread or executable module into the process.
  - 14. The system of claim 11, wherein the virtual memory validator is further configured to traverse the execution stack of the executing thread to identify each memory address referenced in the execution stack.
  - 15. The system of claim 11, wherein the executing thread executes in user mode memory space on the computing device.
  - 16. The system of claim 11, further comprising an action examiner operating in the kernel mode memory space, configured to check the process against a list of approved processes, responsive to the process attempting to access the protected resource.
  - 17. The system of claim 11, wherein the virtual memory validator is further configured to:
    - determine that a second memory address referenced in the execution stack refers to a memory region identified in the memory range map; and
      
      determine whether the identified memory region belongs to a legitimate executable module.
  - 18. The system of claim 11, wherein the virtual memory validator is further configured to:
    - determine that a second memory address referenced in the execution stack refers to a memory region that is designated as executable and identified in the memory range map; and
      
      determine whether the identified memory region belongs to a legitimate executable module.
  - 19. The system of claim 11, wherein the virtual memory validator is further configured to:
    - identify that second memory address referenced in the execution stack points to an executable module; and
      
      determine whether the executable module comprises a legitimate executable module.
  - 20. The system of claim 11, further comprising an action examiner operating in the kernel mode memory space, the action examiner having a rule engine configured to suspend the executing thread responsive to identifying that the process is a potential malware process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digital Guardian LLC
Original Assignee
Digital Guardian, Inc.
Inventors
Carson, Dwayne A.
Primary Examiner(s)
Tsang, Henry

Application Number

US15/223,944
Publication Number

US 20170032118A1
Time in Patent Office

1,348 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/566 Dynamic detection, i.e. det...

Systems and methods of protecting data from injected malware

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods of protecting data from injected malware

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others