×

System and method for intercepting process creation events

  • US 8,127,316 B1
  • Filed: 11/29/2007
  • Issued: 02/28/2012
  • Est. Priority Date: 11/30/2006
  • Status: Expired due to Fees
First Claim
Patent Images

1. A computer-implemented method of detecting creation of processes, the method comprising:

  • injecting an interceptor module into a native operating system process responsible for process creation;

    said injecting comprising replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine, wherein the address table is an import table of a software library configured to be linked into the native operating system process;

    detecting, with the interceptor routine, creation of a new process by the native operating system process;

    in response to said detecting creation of the new process, obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter comprises a name of the new process;

    analyzing the at least one parameter to determine whether the name of the new process corresponds to a program that is to be controlled based on a user-defined policy; and

    controlling the new process in response to determining that the new process is to be controlled based on the user-defined policy, wherein said controlling comprises;

    saving the at least one parameter,causing the new process to terminate to thereby prevent the new process from executing, andautomatically creating, with a system account, a third process having the at least one parameter, thereby enabling the system account to receive full access rights to the third process instead of a user who started the new process having the full access rights, thereby preventing the user from being able to create a malicious child thread from the third process.

View all claims
  • 23 Assignments
Timeline View
Assignment View
    ×
    ×