METHODS, SYSTEMS, AND MEDIA FOR DETECTING AND PREVENTING MALCODE EXECUTION
0 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting and halting execution of malicious code includes a kernel-based system call interposition mechanism and a libc function interception mechanism. The kernel-based system call interposition mechanism detects a system call request from an application, determines a memory region from which the system call request emanates, and halts execution of the code responsible for the call request if the memory region from which the system call request emanates is a data memory region. The libc function interception mechanism maintains an alternative wrapper function for each of the relevant standard libc routines, intercepts a call from an application to one or more libc routines and redirects the call into the corresponding alternative wrapper function.
98 Citations
37 Claims
-
1-20. -20. (canceled)
-
21. A method for detecting and halting execution of malicious code, the method comprising:
-
creating a plurality of wrapper functions that each correspond to one of a plurality of library functions in an application; intercepting a system call request from the application to a library function; redirecting the system call request to a wrapper function from the plurality of created wrapper functions that corresponds to the library function; using the wrapper function to verify whether return addresses associated with one or more intermediate functions in the system call request are located in write protected memory regions; and executing the system call request based at least in part on the verification. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for detecting and halting execution of malicious code, the system comprising:
a processor that; creates a plurality of wrapper functions that each correspond to one of a plurality of library functions in an application; intercepts a system call request from the application to a library function; redirects the system call request to a wrapper function from the plurality of created wrapper functions that corresponds to the library function; uses the wrapper function to verify whether return addresses associated with one or more intermediate functions in the system call request are located in write protected memory regions; and executes the system call request based at least in part on the verification. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
-
37. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting and halting execution of malicious code, the method comprising:
-
creating a plurality of wrapper functions that each correspond to one of a plurality of library functions in an application; intercepting a system call request from the application to a library function; redirecting the system call request to a wrapper function from the plurality of created wrapper functions that corresponds to the library function; using the wrapper function to verify whether return addresses associated with one or more intermediate functions in the system call request are located in write protected memory regions; and executing the system call request based at least in part on the verification.
-
Specification