Kernel mode overflow attack prevention system and method
First Claim
1. A method comprising:
- hooking a critical operating system function;
stalling a call to the critical operating system function originating from a call module;
determining a location of the call module in a kernel address space of a memory;
determining whether the location is in a driver area of the kernel address space of the memory;
determining that said call module is not in said driver area during said determining;
taking protective action to protect a computer system;
providing a notification that said protective action has been taken,wherein the call module is malicious code that has been injected into a kernel stack/heap through a malicious kernel mode buffer overflow attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes hooking a critical operating system function, stalling a call to the critical operating system function originating from a call module, determining a location of the call module in a kernel address space of a memory, and determining whether the location is in a driver area of the kernel address space. Upon a determination that the call module is not in the driver area, the method further includes taking protective action to protect a host computer system. In this event, it is highly likely that the call module is malicious code that has been injected into the kernel stack/heap through a malicious kernel mode buffer overflow attack. By taking protective action, exploitation, damage or destruction of the host computer system is prevented.
-
Citations
16 Claims
-
1. A method comprising:
-
hooking a critical operating system function; stalling a call to the critical operating system function originating from a call module; determining a location of the call module in a kernel address space of a memory; determining whether the location is in a driver area of the kernel address space of the memory; determining that said call module is not in said driver area during said determining; taking protective action to protect a computer system; providing a notification that said protective action has been taken, wherein the call module is malicious code that has been injected into a kernel stack/heap through a malicious kernel mode buffer overflow attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
hooking driver load and unload functions; obtaining loaded driver information; determining a driver area in a kernel address space of a memory; determining whether a driver has been loaded into or unloaded from said kernel address space, wherein upon a determination that said driver has been loaded into or unloaded from said kernel address space, updating said driver area; stalling a call to a critical operating system function originating from a call module; determining whether said call module is in said driver area; determining that said call module is in said driver area; and allowing said call to proceed. - View Dependent Claims (15)
-
-
16. A computer-program product comprising a tangible computer readable storage medium containing computer code comprising:
-
a malicious code blocking application for hooking a critical operating system function; said malicious code blocking application for stalling a call to the critical operating system function originating from a call module; said malicious code blocking application for determining a location of the call module in a kernel address space of a memory; said malicious code blocking application further for determining whether the location is in a driver area of the kernel address space of the memory; said malicious code blocking application for determining that said call module is not in said driver area during said determining; said malicious code blocking application for taking protective action to protect a computer system; said malicious code blocking application for providing a notification that said protective action has been taken; wherein the call module is malicious code that has been injected into a kernel stack/heap through a malicious kernel mode buffer overflow attack.
-
Specification