Detecting and preventing malcode execution
First Claim
1. A monitoring system for detecting and halting execution of malicious code, the system comprising:
- a processor that includes a kernel-based system call interposition mechanism and a standard library function interception mechanism, wherein the processor;
creates an alternative wrapper function that corresponds to one of a plurality of library functions in program code of an application, wherein the alternative wrapper function is interposed between the application and the plurality of library functions;
uses the alternative wrapper function to intercept a system call request from the application to a library function, verify whether return addresses associated with one or more intermediate functions associated with the system call request are located in write protected memory regions and verify a preceding instruction in the write protected memory region, and transmit a verification indication to an operating system kernel executing the system call request; and
uses the operating system kernel to execute the system call request based at least in part on the verification indication.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for detecting and halting execution of malicious code includes a kernel-based system call interposition mechanism and a libc function interception mechanism. The kernel-based system call interposition mechanism detects a system call request from an application, determines a memory region from which the system call request emanates, and halts execution of the code responsible for the call request if the memory region from which the system call request emanates is a data memory region. The libc function interception mechanism maintains an alternative wrapper function for each of the relevant standard libc routines, intercepts a call from an application to one or more libc routines and redirects the call into the corresponding alternative wrapper function.
-
Citations
16 Claims
-
1. A monitoring system for detecting and halting execution of malicious code, the system comprising:
a processor that includes a kernel-based system call interposition mechanism and a standard library function interception mechanism, wherein the processor; creates an alternative wrapper function that corresponds to one of a plurality of library functions in program code of an application, wherein the alternative wrapper function is interposed between the application and the plurality of library functions; uses the alternative wrapper function to intercept a system call request from the application to a library function, verify whether return addresses associated with one or more intermediate functions associated with the system call request are located in write protected memory regions and verify a preceding instruction in the write protected memory region, and transmit a verification indication to an operating system kernel executing the system call request; and uses the operating system kernel to execute the system call request based at least in part on the verification indication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A method, implemented on a processor, of detecting and halting execution of malicious code, the method comprising:
-
receiving system call invocations and invocations of C standard library functions at the processor; creating an alternative wrapper function that corresponds to one of a plurality of library functions in program code of an application, wherein the alternative wrapper function is interposed between the application and the plurality of library functions; using the alternative wrapper function to intercept a system call request from the application to a library function, verify whether return addresses associated with one or more intermediate functions associated with the system call request are located in write protected memory regions and verify a preceding instruction in the write protected memory region, and transmit a verification indication to an operating system kernel executing the system call request; and using the operating system kernel to execute the system call request based at least in part on the verification indication. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification