User-Mode Component Injection Techniques
First Claim
1. A system comprising:
- a processor;
memory coupled to the processor;
a kernel-mode component configured to be operated by the processor to receive notification of loading of a user-mode process by the system, to build an asynchronous procedure call (APC) to be executed by a main thread of the user-mode process, and to queue the APC to the main thread of the user-mode process; and
a user-mode component associated with the kernel-mode component and configured to be operated by the processor to identify slack space in the user-mode process, to store instructions for invoking the user-mode component in the slack space, and to hook a function of the user-mode process,wherein the APC includes;
a kernel routine which calls instructions for allocating memory and for storing, in the allocated memory, instructions for loading the user-mode component, anda user routine which calls the instructions for loading the user-mode component,wherein the user-mode component, when loaded responsive to the user routine, hooks the function by modifying a single instruction or set of machine-sized instructions associated with the function to call the instructions stored in the slack space, andwherein the single instruction or set of machine-sized instructions of the function, when executed, performs the call, which results in invoking the user-mode component to receive data associated with the function and to provide that data to the kernel-mode component.
4 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described herein for loading a user-mode component of a security agent based on an asynchronous procedure call (APC) built by a kernel-mode component of the security agent. The APC is executed while a process loads, causing the process to load the user-mode component. The user-mode component then identifies slack space of the process, stores instructions in the slack space, and hooks function(s) of the process, including modifying instruction(s) of the function(s) to call the instructions stored in the slack space. When those modified instruction(s) call the stored instructions, the stored instructions invoke the user-mode component, which receives data from the hooked function(s). Also, the security agent may bypass a control-flow protection mechanism of the operating system by setting a pointer of the control-flow protection mechanism to point to an alternate verification function.
42 Citations
20 Claims
-
1. A system comprising:
-
a processor; memory coupled to the processor; a kernel-mode component configured to be operated by the processor to receive notification of loading of a user-mode process by the system, to build an asynchronous procedure call (APC) to be executed by a main thread of the user-mode process, and to queue the APC to the main thread of the user-mode process; and a user-mode component associated with the kernel-mode component and configured to be operated by the processor to identify slack space in the user-mode process, to store instructions for invoking the user-mode component in the slack space, and to hook a function of the user-mode process, wherein the APC includes; a kernel routine which calls instructions for allocating memory and for storing, in the allocated memory, instructions for loading the user-mode component, and a user routine which calls the instructions for loading the user-mode component, wherein the user-mode component, when loaded responsive to the user routine, hooks the function by modifying a single instruction or set of machine-sized instructions associated with the function to call the instructions stored in the slack space, and wherein the single instruction or set of machine-sized instructions of the function, when executed, performs the call, which results in invoking the user-mode component to receive data associated with the function and to provide that data to the kernel-mode component. - View Dependent Claims (2, 3)
-
-
4. A computer-implemented method comprising:
-
identifying one or more functions of a process to be hooked; storing instructions at a location in slack space of the process in memory; and hooking the one or more functions, including modifying a single instruction or a set of instructions for each function of the one or more functions to call the instructions stored at the location, wherein the instructions, when executed responsive to a call from a function of the one or more functions, invoke a security agent to receive data associated with the function of the one or more functions. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium having a plurality of programming instructions of a security agent stored thereon which, when executed by a computing device, cause the computing device to perform operations comprising:
-
receiving notification of loading of a process by an operating system of the computing device; determining that the operating system utilizes a verification function of a control-flow protection mechanism for the process; in response to the determining, bypassing the control-flow protection mechanism, including setting a pointer to the verification function to point to an alternate verification function; and after execution of an asynchronous procedure call (APC) by the process, resetting the pointer to point to the verification function. - View Dependent Claims (18, 19, 20)
-
Specification