System and method for intercepting process creation events
First Claim
1. A computer-implemented method of detecting creation of processes, the method comprising:
- injecting an interceptor module into a native operating system process responsible for process creation;
said injecting comprising replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine, wherein the address table is an import table of a software library configured to be linked into the native operating system process;
detecting, with the interceptor routine, creation of a new process by the native operating system process;
in response to said detecting creation of the new process, obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter comprises a name of the new process;
analyzing the at least one parameter to determine whether the name of the new process corresponds to a program that is to be controlled based on a user-defined policy; and
controlling the new process in response to determining that the new process is to be controlled based on the user-defined policy, wherein said controlling comprises;
saving the at least one parameter,causing the new process to terminate to thereby prevent the new process from executing, andautomatically creating, with a system account, a third process having the at least one parameter, thereby enabling the system account to receive full access rights to the third process instead of a user who started the new process having the full access rights, thereby preventing the user from being able to create a malicious child thread from the third process.
23 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting creation of a program instance includes an interceptor routine that obtains a parameter corresponding to a characteristic of a program instance and an interceptor module that can be injected into a native operating system process. In certain examples, the interceptor module can replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process can call the interceptor routine in place of the selected routine. Additionally, the system can include a comparison module that compares the parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs. The system can also include a security module that can modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program.
43 Citations
27 Claims
-
1. A computer-implemented method of detecting creation of processes, the method comprising:
-
injecting an interceptor module into a native operating system process responsible for process creation; said injecting comprising replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine, wherein the address table is an import table of a software library configured to be linked into the native operating system process; detecting, with the interceptor routine, creation of a new process by the native operating system process; in response to said detecting creation of the new process, obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter comprises a name of the new process; analyzing the at least one parameter to determine whether the name of the new process corresponds to a program that is to be controlled based on a user-defined policy; and controlling the new process in response to determining that the new process is to be controlled based on the user-defined policy, wherein said controlling comprises; saving the at least one parameter, causing the new process to terminate to thereby prevent the new process from executing, and automatically creating, with a system account, a third process having the at least one parameter, thereby enabling the system account to receive full access rights to the third process instead of a user who started the new process having the full access rights, thereby preventing the user from being able to create a malicious child thread from the third process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for detecting creation of a program instance, the system comprising:
a computer hardware within a computer system, the computer system configured to implement; an interceptor module configured to be injected into a native operating system process responsible for creating program instances, the interceptor module further configured to replace an address of a selected routine in an address table with an address of an interceptor routine, such that the native operating system process calls the interceptor routine in place of the selected routine during creation of the program instance, the interceptor routine configured to detect creation of a program instance and to obtain a name of the program instance in response to detecting creation of the program instance; a comparison module configured to compare the name of the program instance to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs; and a security module configured to modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one of the identified programs, wherein the security module is configured to; save the name of the program instance, halt execution of the program instance, and automatically create, with a system account, a new program instance having the name of the program instance, thereby enabling the system account to receive full access rights to the new program instance instead of a user who started the program instance having the full access rights, thereby preventing the user from being able to create a malicious child thread from the new program instance; wherein the interceptor module, the comparison module, and the security module are implemented by the computer system comprising computer hardware. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
24. Non-transitory physical computer storage comprising computer-executable instructions stored thereon that, when executed by one or more processors, are configured to implement components for detecting creation of a program instance, the components comprising:
-
an interceptor module configured to be injected into a native operating system process responsible for creating program instances, the interceptor module further configured to replace an address of a selected routine in an address table with an address of an interceptor routine, such that the native operating system process calls the interceptor routine in place of the selected routine during creation of the program instance, the interceptor routine configured to detect creation of a program instance and to obtain a name of the program instance in response to detecting creation of the program instance; a comparison module configured to compare the name of the program instance to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs; and a security module configured to modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one of the identified programs, wherein the security module is configured to; save the name of the program instance, halt execution of the program instance, and automatically create, with a system account, a new program instance having the name of the program instance, thereby enabling the system account to receive full access rights to the new program instance instead of a user who started the program instance having the full access rights, thereby preventing the user from being able to create a malicious child thread from the new program instance. - View Dependent Claims (25, 26, 27)
-
Specification