Computer System and Method for Preventing Dynamic-Link Library Injection Attack

US 20110179430A1
Filed: 09/20/2010
Published: 07/21/2011
Est. Priority Date: 01/18/2010
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a monitoring unit to monitor an operation by which a first process attempts to dynamically link an executable code library to a second process; and

an intercept unit to intercept the link of the executable code library when the operation occurs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system and method for preventing a Dynamic-Link Library (DLL) injection attack are provided. The computer system monitors an operation where a process attempts to dynamically link an executable code library to another process, and intercepts the dynamic link of the executable code library.

Citations

20 Claims

1. A computer system comprising:
- a monitoring unit to monitor an operation by which a first process attempts to dynamically link an executable code library to a second process; and
  
  an intercept unit to intercept the link of the executable code library when the operation occurs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1, wherein the monitoring unit comprises:
    - a call determination unit to determine whether a thread creation function is called; and
      
      a connection checking unit to check whether the operation occurs using a parameter of a function, wherein the function is executed by function hooking at a point in time when the thread creation function is called.
  - 3. The computer system of claim 2, wherein the parameter comprises a target process, a function to be executed by a thread to be created, and a parameter of the function to be executed, andwherein the connection checking unit checks that the operation occurs when the target process is different from the first process, the thread is used to execute a function for loading a code library, and the parameter of the function to be executed is a name of a file of the executable code library.
  - 4. The computer system of claim 1, wherein the monitoring unit comprises a call determination unit to determine whether a thread creation function is called, andwherein the intercept unit comprises:
    - a connection checking unit to check whether the operation occurs using a parameter of a function, wherein the function is executed by function hooking at a point in time when the thread creation function is called; and
      
      a termination unit to terminate a thread that is created in association with the operation.
  - 5. The computer system of claim 4, wherein the parameter comprises a target process, a function to be executed by a thread to be created, and a parameter of the function to be executed, andwherein the connection checking unit checks that the operation occurs when the target process is different from the first process, the thread is used to execute a function for loading a code library, and the parameter of the function to be executed is a name of a file of the executable code library.
  - 6. The computer system of claim 1, wherein the intercept unit terminates a thread created in association with the operation and intercepts the link.
  - 7. The computer system of claim 1, further comprising:
    - an interface unit to receive a user'"'"'s input and to determine whether to operate the monitoring unit based on the user'"'"'s input.
  - 8. The computer system of claim 1, further comprising:
    - an interface unit to output information about an occurrence of the operation using an output device.
  - 9. The computer system of claim 1, wherein the executable code library comprises a Dynamic Link Library (DLL).

10. A method of preventing a library injection attack in a computer system, the method comprising:
- monitoring an operation by which a first process attempts to dynamically link an executable code library to a second process; and
  
  intercepting the link of the executable code library when the operation occurs.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the monitoring comprises:
    - determining whether a thread creation function is called; and
      
      checking whether the operation occurs using a parameter of a function, wherein the function is executed by function hooking at a point in time when the thread creation function is called.
  - 12. The method of claim 11, wherein the parameter comprises a target process, a function to be executed by a thread to be created, and a parameter of the function to be executed, andwherein the checking comprises checking that the operation occurs when the target process is different from the first process, the thread is used to execute a function for loading a code library, and the parameter of the function to be executed is a name of a file of the executable code library.
  - 13. The method of claim 10, wherein the monitoring comprises determining whether a thread creation function is called, andwherein the intercepting comprises:
    - checking whether the operation occurs using a parameter of a function, the function being executed by function hooking at a point in time when the thread creation function is called; and
      
      terminating a thread that is created in association with the operation.
  - 14. The method of claim 13, wherein the parameter comprises a target process, a function to be executed by a thread to be created, and a parameter of the function to be executed, andwherein the checking comprises checking that the operation occurs when the target process is different from the first process, the thread is used to execute a function for loading a code library, and the parameter of the function to be executed is a name of a file of the executable code library.
  - 15. The method of claim 10, wherein the intercepting comprises terminating a thread created in association with the operation, and intercepting the link.
  - 16. The method of claim 10, further comprising:
    - determining whether to monitor the operation based on a user'"'"'s input.
  - 17. The method of claim 10, further comprising:
    - outputting information concerning an occurrence of the operation using an output device.

18. A computer-readable storage medium storing a program to cause a processor to execute a method of preventing a library injection attack in a computer system, the method comprising:
- monitoring an operation by which a first process attempts to dynamically link an executable code library to a second process; and
  
  intercepting the link of the executable code library when the operation occurs.
- View Dependent Claims (19, 20)
- - 19. The computer readable storage medium of claim 18, wherein the monitoring comprises:
    - determining whether a thread creation function is called; and
      
      checking whether the operation occurs using a parameter of a function, wherein the function is executed by function hooking at a point in time when the thread creation function is called.
  - 20. The computer readable storage medium of claim 19, wherein the parameter comprises a target process, a function to be executed by a thread to be created, and a parameter of the function to be executed, andwherein the checking comprises checking that the operation occurs when the target process is different from the first process, the thread is used to execute a function for loading a code library, and the parameter of the function to be executed is a name of a file of the executable code library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Kim, Hwan Joon, Kim, Eun Ah, Jin, Weon Il

Granted Patent

US 8,966,511 B2
Time in Patent Office

Days
Field of Search
US Class Current

719/331
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 9/44521 Dynamic linking or loading;...

Computer System and Method for Preventing Dynamic-Link Library Injection Attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer System and Method for Preventing Dynamic-Link Library Injection Attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links