User-Mode Component Injection Techniques

US 20170039367A1
Filed: 03/22/2016
Published: 02/09/2017
Est. Priority Date: 08/05/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor;

memory coupled to the processor;

a kernel-mode component configured to be operated by the processor to receive notification of loading of a user-mode process by the system, to build an asynchronous procedure call (APC) to be executed by a main thread of the user-mode process, and to queue the APC to the main thread of the user-mode process; and

a user-mode component associated with the kernel-mode component and configured to be operated by the processor to identify slack space in the user-mode process, to store instructions for invoking the user-mode component in the slack space, and to hook a function of the user-mode process,wherein the APC includes;

a kernel routine which calls instructions for allocating memory and for storing, in the allocated memory, instructions for loading the user-mode component, anda user routine which calls the instructions for loading the user-mode component,wherein the user-mode component, when loaded responsive to the user routine, hooks the function by modifying a single instruction or set of machine-sized instructions associated with the function to call the instructions stored in the slack space, andwherein the single instruction or set of machine-sized instructions of the function, when executed, performs the call, which results in invoking the user-mode component to receive data associated with the function and to provide that data to the kernel-mode component.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described herein for loading a user-mode component of a security agent based on an asynchronous procedure call (APC) built by a kernel-mode component of the security agent. The APC is executed while a process loads, causing the process to load the user-mode component. The user-mode component then identifies slack space of the process, stores instructions in the slack space, and hooks function(s) of the process, including modifying instruction(s) of the function(s) to call the instructions stored in the slack space. When those modified instruction(s) call the stored instructions, the stored instructions invoke the user-mode component, which receives data from the hooked function(s). Also, the security agent may bypass a control-flow protection mechanism of the operating system by setting a pointer of the control-flow protection mechanism to point to an alternate verification function.

42 Citations

View as Search Results

20 Claims

1. A system comprising:
- a processor;
  
  memory coupled to the processor;
  
  a kernel-mode component configured to be operated by the processor to receive notification of loading of a user-mode process by the system, to build an asynchronous procedure call (APC) to be executed by a main thread of the user-mode process, and to queue the APC to the main thread of the user-mode process; and
  
  a user-mode component associated with the kernel-mode component and configured to be operated by the processor to identify slack space in the user-mode process, to store instructions for invoking the user-mode component in the slack space, and to hook a function of the user-mode process,wherein the APC includes;
  
  a kernel routine which calls instructions for allocating memory and for storing, in the allocated memory, instructions for loading the user-mode component, anda user routine which calls the instructions for loading the user-mode component,wherein the user-mode component, when loaded responsive to the user routine, hooks the function by modifying a single instruction or set of machine-sized instructions associated with the function to call the instructions stored in the slack space, andwherein the single instruction or set of machine-sized instructions of the function, when executed, performs the call, which results in invoking the user-mode component to receive data associated with the function and to provide that data to the kernel-mode component.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the function is associated with one of a user-mode memory allocation, setting a thread context in user-mode, or any system call which cannot be hooked from kernel-mode.
  - 3. The system of claim 1, wherein the function is a function of a 32-bit system library component of the process on 32-bit devices, or a 64-bit system library component of the process on 64-bit devices.

4. A computer-implemented method comprising:
- identifying one or more functions of a process to be hooked;
  
  storing instructions at a location in slack space of the process in memory; and
  
  hooking the one or more functions, including modifying a single instruction or a set of instructions for each function of the one or more functions to call the instructions stored at the location,wherein the instructions, when executed responsive to a call from a function of the one or more functions, invoke a security agent to receive data associated with the function of the one or more functions.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 5. The computer-implemented method of claim 4, further comprising receiving notification of loading of the process and performing the identifying, the storing, and the hooking responsive to the notification.
  - 6. The computer-implemented method of claim 5, further comprising, responsive to receiving the notification, identifying available slack space of the process, including the location in the slack space.
  - 7. The computer-implemented method of claim 5, further comprising, responsive to receiving the notification, bypassing a control-flow protection mechanism, including setting a pointer to a verification function of the control-flow protection mechanism to point to an alternate verification function.
  - 8. The computer-implemented method of claim 4, wherein the identifying, the storing, and the hooking are performed by a user-mode component of the security agent.
  - 9. The computer-implemented method of claim 8, wherein invoking the security agent comprises invoking the user-mode component and the user-mode component provides the received data associated with the function of the one or more functions to a kernel-mode component of the security agent.
  - 10. The computer-implemented method of claim 9, further comprising restoring, by the user-mode component, original instructions upon unloading.
  - 11. The computer-implemented method of claim 9, wherein the kernel-mode component builds an asynchronous procedure call (APC), the APC including:
    - a kernel routine which calls instructions for allocating memory for and for storing, in the allocated memory, instructions for loading the user-mode component; and
      
      a user routine which calls the instructions for loading the user-mode component to perform the identifying, the storing, and the hooking.
  - 12. The computer-implemented method of claim 4, wherein the single instruction or set of instructions for each function of the one or more functions are eight bytes and the hooking comprises atomically hooking the one or more functions.
  - 13. The computer-implemented method of claim 4, wherein the instructions stored at the location are a trampoline that invokes the security agent.
  - 14. The computer-implemented method of claim 13, wherein the one or more functions comprise multiple functions, the multiple functions all, when hooked, calling the same trampoline.
  - 15. The computer-implemented method of claim 4, wherein invoking the security agent to receive the data comprises invoking a redirect function of the security agent that redirects to a hooking function of the security agent which corresponds to the function of the one or more functions.
  - 16. The computer-implemented method of claim 15, wherein the redirect function redirects based on return address in a call stack, the return address being associated with the function of the one or more functions.

17. A non-transitory computer-readable medium having a plurality of programming instructions of a security agent stored thereon which, when executed by a computing device, cause the computing device to perform operations comprising:
- receiving notification of loading of a process by an operating system of the computing device;
  
  determining that the operating system utilizes a verification function of a control-flow protection mechanism for the process;
  
  in response to the determining, bypassing the control-flow protection mechanism, including setting a pointer to the verification function to point to an alternate verification function; and
  
  after execution of an asynchronous procedure call (APC) by the process, resetting the pointer to point to the verification function.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein both the verification function and the alternate verification function are functions of the control-flow protection mechanism and the control-flow protection mechanism utilizes the verification function for processes compiled with one or more types of compilers and the alternate verification function for processes not compiled with the one or more types of compilers.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the alternate verification function is a function of the security agent.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the alternate verification function returns an indication that a call to instructions associated with the APC is permitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Ionescu, Ion-Alexandru, Robinson, Loren C.

Granted Patent

US 10,331,881 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/55 Detecting local intrusion o...

User-Mode Component Injection Techniques

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User-Mode Component Injection Techniques

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links