Performing security functions when a process is created

US 8,201,253 B1
Filed: 07/15/2005
Issued: 06/12/2012
Est. Priority Date: 07/15/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a computing device of performing a security related function, the method comprising:

providing security code that performs a security related function;

providing a plurality of software components that include code, each software component for executing within a process;

setting a configuration to cause the security code to execute within a first process before a first software component executes within the first process;

creating by an operating system executing in kernel mode the first process for executing the first software component of the plurality of software components, the operating system storing an indication of existence of the first process;

after the first process is created for executing the first software component of the plurality of software components,executing by the computing device the provided security code within the first process before the code of the first software component is executed in accordance with the set configuration so the security related function can be performed before the code of the first software component is executed within the first process, the security related function to support detecting whether the first software component contains malware, wherein the security code records an identifier of the first software component of the first process and performs an action so that the operating system maintains certain information relating to the action only while the first process exists; and

after executing the provided security code within the first process, starting execution of the first software component within the first process;

after executing the provided security code, executing code of a security system outside of the first process and the operating system, thatrequests the operating system for a report of existing processes;

determines whether the first process is in the report of existing processes; and

upon determining that the first process is not in the report of existing processes,determines whether the certain information is still maintained by the operating system, the certain information relating to the action performed by the security code within the first process before the code of the first software component was executed; and

upon determining that the certain information is still maintained by the operating system, indicating that the first software component contains malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system in a computing device for performing security related functions as part of a process created to execute a software component that may be unrelated to security is provided. The security system provides security code that performs one or more security related functions. When a process is created to execute the code of a software component, the security system causes the security code to be executed before the execution of the code of the software component. One security related function of the security code may be to cause the operating system to maintain information about the process as long as the process exists. If the operating system later reports that the process no longer exists but the information is still being maintained, then the security system can assume that malware is attempting to hide the process.

Citations

17 Claims

1. A method in a computing device of performing a security related function, the method comprising:
- providing security code that performs a security related function;
  
  providing a plurality of software components that include code, each software component for executing within a process;
  
  setting a configuration to cause the security code to execute within a first process before a first software component executes within the first process;
  
  creating by an operating system executing in kernel mode the first process for executing the first software component of the plurality of software components, the operating system storing an indication of existence of the first process;
  
  after the first process is created for executing the first software component of the plurality of software components,executing by the computing device the provided security code within the first process before the code of the first software component is executed in accordance with the set configuration so the security related function can be performed before the code of the first software component is executed within the first process, the security related function to support detecting whether the first software component contains malware, wherein the security code records an identifier of the first software component of the first process and performs an action so that the operating system maintains certain information relating to the action only while the first process exists; and
  
  after executing the provided security code within the first process, starting execution of the first software component within the first process;
  
  after executing the provided security code, executing code of a security system outside of the first process and the operating system, thatrequests the operating system for a report of existing processes;
  
  determines whether the first process is in the report of existing processes; and
  
  upon determining that the first process is not in the report of existing processes,determines whether the certain information is still maintained by the operating system, the certain information relating to the action performed by the security code within the first process before the code of the first software component was executed; and
  
  upon determining that the certain information is still maintained by the operating system, indicating that the first software component contains malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the certain information is a handle to a resource.
  - 3. The method of claim 2 wherein the resource is a file.
  - 4. The method of claim 1 wherein the security code is in a dynamic link library and the set configuration indicates to load and execute that dynamic link library before any code of the first software component.
  - 5. The method of claim 1 wherein the security system terminates the first process when it is determined that the first software component contains malware.
  - 6. The method of claim 1 wherein the security code checks whether certain security related components of the computing device are in a correct state.
  - 7. The method of claim 6 wherein one of the security related components is anti-virus software.
  - 8. The method of claim 6 wherein one of the security related components enforces a security policy.
  - 9. The method of claim 1 wherein the security code that executes within the first process additionally analyzes code of the first software component to determine whether the first software component is malware and terminates the first process upon determining that the first software component is malware.
  - 10. The method of claim 9 wherein the security code generates a hash code of the code of the software component and determines that the software component is malware when the generated hash code matches the hash code of known malware.
  - 11. The method of claim 9 wherein the security code determines that the software component is malware when the file name of the software component matches the file name of known malware.

12. A computer-readable memory device configured to control a computing device to detect whether a process managed by an operating system is hidden, by a method comprising:
- setting a configuration to cause security code to execute within the process before a software component executes within the process;
  
  after the process is created for execution of the software component within the process and before executing code of the software component within the process as indicated by the set configuration, executing code within the process that performs an action that causes the operating system of the computing device to maintain certain information while the process exists;
  
  after executing the code within the process that causes the operating system to maintain certain information while the process exists, starting execution of the software component within the process; and
  
  after starting execution of the software component within the process, executing a security system outside of the process and the operating system, the security system for;
  
  requesting the operating system for a list of existing processes;
  
  determining whether the process is within the list of existing processes; and
  
  after determining that the process is not within the list of existing processes,determining whether the certain information is still maintained by the operating system, the certain information maintained by the operating system as a result of the action performed by the code executing within the process before executing the code of the software component within the process; and
  
  upon determining that the certain information is still maintained by the operating system, indicating that the process is hidden.
- View Dependent Claims (13, 14, 15)
- - 13. The computer-readable memory device of claim 12 wherein the certain information is a handle to a resource.
  - 14. The computer-readable memory device of claim 13 wherein the resource is a file.
  - 15. The computer-readable memory device of claim 12 wherein the computing device contains malware that causes the operating system to report that the process no longer exists when the process does exist.

16. A computing device configured to perform a security related function for the computing device, comprising:
- a memory storing computer-executable instructions of;
  
  software components;
  
  a component that sets a configuration to cause security code to execute within a process before a software component executes within the process;
  
  a component that, after the process is created by an operating system for executing the software component, automatically executes security code within the process before executing code of the software component as indicated by the set configuration wherein the security code performs the security related function so that the operating system maintains information relating to the process while the process exists for detecting whether the software component contains malware; and
  
  a component of a security system that executes outside of the process and the operating system to determine whether the information, that is maintained by the operating system as a result of the security code performing the security related function within the process before executing code of the software component within the process, is still maintained by the operating system but the operating system reports that the process does not exist and upon such a determination, reporting the software component contains malware; and
  
  a processor for executing the computer-executable instructions stored in the memory.
- View Dependent Claims (17)
- - 17. The computing device of claim 16 wherein the automatically executed code checks whether certain software components of the computing device are in a correct state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Polyakov, Alexey A., Yan, Lee Guang
Primary Examiner(s)
LOUIE, OSCAR A

Application Number

US11/183,318
Time in Patent Office

2,524 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/562   Static detection

H04L 63/1416   Event detection, e.g. attac...

Performing security functions when a process is created

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Performing security functions when a process is created

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links