METHODS OF DETECTION OF SOFTWARE EXPLOITATION
First Claim
1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes and threads executing on a computing device;
monitoring instructions executed by a thread that is currently running; and
performing the following steps if a function to create a process or a function to load a library is calledexamining a thread information block,determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block,examining the contents of a plurality of memory addresses, anddetermining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.
-
Citations
15 Claims
-
1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes and threads executing on a computing device; monitoring instructions executed by a thread that is currently running; and performing the following steps if a function to create a process or a function to load a library is called examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, examining the contents of a plurality of memory addresses, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes and threads executing on a computing device; monitoring instructions executed by a thread that is currently running; and performing the following steps if a function to create a process or a function to load a library is called examining a plurality of items on a stack, determining instructions that placed items on the stack, determining whether the instructions include valid subroutine calls, and determining whether the instructions are located in an address space for executable code. - View Dependent Claims (8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes and threads executing on a computing device; monitoring instructions executed by a thread that is currently running; and performing the following steps if a function to create a process or a function to load a library is called examining a plurality of items on a stack, examining a chain of exception handlers, each exception handler including a first address pointing to the next exception handler and a second address pointing to instructions for handling an exception, and determining for each exception handler whether the second address is located in an address space for executable code. - View Dependent Claims (12, 13)
-
-
14. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes, threads, and applets executing on a computing device; monitoring instructions executed by processes, threads, and applets that are currently running; monitoring any file that is created by the applets; determining whether the file is being executed as an additional process; and determining whether the file is being loaded as a library.
-
-
15. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes, threads, and applets executing on a computing device; monitoring instructions executed by processes, threads, and applets that are currently running; utilizing a programming interface; and determining whether a system.setsecuritymanager(null) call is made followed by a processbuilder.start( ) call.
-
Specification