METHODS OF DETECTION OF SOFTWARE EXPLOITATION

US 20150020198A1
Filed: 07/15/2013
Published: 01/15/2015
Est. Priority Date: 07/15/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:

gathering information about processes and threads executing on a computing device;

monitoring instructions executed by a thread that is currently running; and

performing the following steps if a function to create a process or a function to load a library is calledexamining a thread information block,determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block,examining the contents of a plurality of memory addresses, anddetermining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.

Citations

15 Claims

1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes and threads executing on a computing device;
  
  monitoring instructions executed by a thread that is currently running; and
  
  performing the following steps if a function to create a process or a function to load a library is calledexamining a thread information block,determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block,examining the contents of a plurality of memory addresses, anddetermining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-readable storage medium of claim 1, wherein the information includes the starting address of the thread.
  - 3. The computer-readable storage medium of claim 1, wherein the program further comprises the step of recording in an internal log that the address included in the stack pointer is not in the range of stack addresses if the address included in the stack pointer is not in the range of stack addresses.
  - 4. The computer-readable storage medium of claim 1, wherein the program further comprises the step of displaying a message to a user that a possible software exploit has been detected if the address included in the stack pointer is not in the range of stack addresses.
  - 5. The computer-readable storage medium of claim 1, wherein the program further comprises the step of recording in an internal log that the first plurality of no-operation instructions followed by shell code followed by the second plurality of no-operation instructions was detected if the first plurality of no-operation instructions followed by shell code followed by the second plurality of no-operation instructions was detected.
  - 6. The computer-readable storage medium of claim 1, wherein the program further comprises the step of displaying a message to a user that a possible software exploit has been detected if the first plurality of no-operation instructions followed by shell code followed by the second plurality of no-operation instructions was detected.

7. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes and threads executing on a computing device;
  
  monitoring instructions executed by a thread that is currently running; and
  
  performing the following steps if a function to create a process or a function to load a library is calledexamining a plurality of items on a stack,determining instructions that placed items on the stack,determining whether the instructions include valid subroutine calls, anddetermining whether the instructions are located in an address space for executable code.
- View Dependent Claims (8, 9, 10)
- - 8. The computer-readable storage medium of claim 7, wherein the items placed on the stack include return addresses for subroutine calls and for each return address, examining an address before the return address and determining whether the address includes a valid subroutine call.
  - 9. The computer-readable storage medium of claim 7, wherein the program further comprises the step of determining whether the stack includes a return address for a dynamic link library that created the thread.
  - 10. The computer-readable storage medium of claim 7, wherein the program further comprises the step of determining whether a first address of the stack includes a start address of the thread.

11. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes and threads executing on a computing device;
  
  monitoring instructions executed by a thread that is currently running; and
  
  performing the following steps if a function to create a process or a function to load a library is calledexamining a plurality of items on a stack,examining a chain of exception handlers, each exception handler including a first address pointing to the next exception handler and a second address pointing to instructions for handling an exception, anddetermining for each exception handler whether the second address is located in an address space for executable code.
- View Dependent Claims (12, 13)
- - 12. The computer-readable storage medium of claim 11, wherein the program further comprises the step of determining for each exception handler whether the first address is within the stack.
  - 13. The computer-readable storage medium of claim 11, wherein the program further comprises the step of determining for each exception handler whether the first address points to a previous exception handler.

14. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes, threads, and applets executing on a computing device;
  
  monitoring instructions executed by processes, threads, and applets that are currently running;
  
  monitoring any file that is created by the applets;
  
  determining whether the file is being executed as an additional process; and
  
  determining whether the file is being loaded as a library.

15. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes, threads, and applets executing on a computing device;
  
  monitoring instructions executed by processes, threads, and applets that are currently running;
  
  utilizing a programming interface; and
  
  determining whether a system.setsecuritymanager(null) call is made followed by a processbuilder.start( ) call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ESET, spol. s.r.o.
Original Assignee
ESET, spol. s.r.o.
Inventors
Mirski, Pawel, Hlavaty, Peter, Kosinar, Peter

Granted Patent

US 8,943,592 B1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

METHODS OF DETECTION OF SOFTWARE EXPLOITATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS OF DETECTION OF SOFTWARE EXPLOITATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links