HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION

US 20110131657A1
Filed: 12/02/2009
Published: 06/02/2011
Est. Priority Date: 12/02/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

identifying a binary executable in a host computer memory, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;

accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing a nonexported function within the binary executable; and

modifying instructions at the second memory location to route a code path to a host protection processor.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier.

11 Citations

View as Search Results

13 Claims

1. A computer-implemented method, comprising:
- identifying a binary executable in a host computer memory, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;
  
  accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing a nonexported function within the binary executable; and
  
  modifying instructions at the second memory location to route a code path to a host protection processor.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the nonexported function is called by an exported function.
  - 3. The method of claim 1, wherein accessing offset data comprises:
    - identifying a hash ID that uniquely identifies the binary executable; and
      
      identifying an offset associated with the binary executable based on the hash ID.
  - 4. The method of claim 1, wherein the offset data further comprises a version string for the binary executable.
  - 5. The method of claim 1, wherein the offset data further comprises a byte pattern adjacent to the offset.

6. A computer-implemented method, comprising:
- analyzing a reference file generated for a binary executable, the reference file containing a representation of instructions that are in the binary executable;
  
  identifying a unique identifier for the binary executable;
  
  locating a nonexported function in the binary executable from the analysis of the reference file;
  
  determining an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable; and
  
  generating offset data that includes the offset and the unique identifier.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the reference file is a symbol file.
  - 8. The method of claim 6, wherein the offset data further comprises a version string for the binary executable.
  - 9. The method of claim 6, wherein the offset data further comprises a byte pattern adjacent to the offset.

10. A system, comprising a file analyzer configured to analyze a reference file generated for a binary executable, the reference file comprising a representation of instructions that are in the binary executable;
- locate a nonexported function in the reference file; and
  
  determine an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable.

11. A system, comprising:
- a host computer memory configured to store data for a computer;
  
  a hook by offset engine that performs operations comprising;
  
  identifies a binary executable in the host computer memory, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;
  
  accesses offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location storing a nonexported function within the binary executable; and
  
  modifies instructions at the second memory location to route a code path to a host protection processor.a host protection processor that performs operations comprising;
  
  determining if execution of the nonexported function results in exploitation of a vulnerability;
  
  if the execution of the nonexported function will not result in exploitation of the vulnerability, then allowing the execution of the nonexported function; and
  
  if execution of the nonexported function will result in exploitation of the vulnerability, then executing a host protection process on the vulnerability.
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein the host protection process is an identification of an attempt to exploit the vulnerability.
  - 13. The system of claim 11, wherein the host protection process is preventing the execution of the nonexported function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Nojiri, Daisuke

Granted Patent

US 8,484,753 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/54 by adding security routines...

G06F 21/566 Dynamic detection, i.e. det...

HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links