Systems and methods of protecting data from injected malware
First Claim
1. A method of detecting injected malware, the method comprising:
- monitoring, by a virtual memory validator injected into a process executing in a user mode memory space on a computing device, an execution stack of an executing thread of the process;
identifying, by the virtual memory validator on the user mode memory space, a memory address referenced in the execution stack, responsive to the process from the user mode memory space attempting to access a protected resource in a kernel mode memory space;
determining, by the virtual memory validator, that the memory address attempted to be accessed from the user mode memory space refers to a memory region that is designated as executable in the kernel mode memory space;
determining, by the virtual memory validator, that the memory address is outside memory regions identified in a memory range map that specifies memory addresses for a plurality of validated processes including the process; and
identifying, by the virtual memory validator responsive to the determination that the memory address refers to the memory region that is designated as executable in the kernel mode memory space and to the determination that the memory address is outside the memory regions identified in the memory range map, the process as a potential malware process.
8 Assignments
0 Petitions
Accused Products
Abstract
Provided herein are systems and methods for protecting data from injected malware. In some embodiments, a virtual memory validator may execute in user mode memory space on a computing device. The virtual memory validator may monitor an execution stack of an executing thread of a process. The virtual memory validator may identify a memory address referenced in the execution stack, responsive to the process attempting to access a protected resource. The virtual memory validator may determine that the memory address refers to a memory region that is designated as executable. The virtual memory validator may determine that the memory address is outside memory regions identified in a memory range map. The virtual memory validator may, responsive to the determination, identify the process as a potential malware process.
9 Citations
20 Claims
-
1. A method of detecting injected malware, the method comprising:
-
monitoring, by a virtual memory validator injected into a process executing in a user mode memory space on a computing device, an execution stack of an executing thread of the process; identifying, by the virtual memory validator on the user mode memory space, a memory address referenced in the execution stack, responsive to the process from the user mode memory space attempting to access a protected resource in a kernel mode memory space; determining, by the virtual memory validator, that the memory address attempted to be accessed from the user mode memory space refers to a memory region that is designated as executable in the kernel mode memory space; determining, by the virtual memory validator, that the memory address is outside memory regions identified in a memory range map that specifies memory addresses for a plurality of validated processes including the process; and identifying, by the virtual memory validator responsive to the determination that the memory address refers to the memory region that is designated as executable in the kernel mode memory space and to the determination that the memory address is outside the memory regions identified in the memory range map, the process as a potential malware process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting injected malware, the system comprising:
-
memory space on a computing device, comprising a user mode memory space and a kernel mode memory space; and a virtual memory validator injected into a process executing in the user mode memory space, the virtual memory validator configured to; monitor an execution stack of an executing thread of the process executing in the user mode memory space; identify a memory address referenced in the execution stack, responsive to the process from the user mode memory space attempting to access a protected resource of the kernel mode memory space; determine that the memory address refers to a memory region attempted to be accessed from the user mode memory space that is designated as executable in the kernel mode memory space; determine that the memory address is outside memory regions identified in a memory range map that specifies memory addresses for a plurality of validated processes including the process; and identify, responsive to the determination that the memory address refers to the memory region that is designated as executable in the kernel mode memory space and to the determination that the memory address is outside the memory regions identified in the memory range map, the process as a potential malware process. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification