Direct call into system DLL detection system and method
First Claim
Patent Images
1. A computer-implemented method comprising:
- determining that one or more modules to be loaded into a process is suspicious, the determination of suspiciousness depending on one or more user-configurable factors, the determination resulting in one or more suspicious modules;
creating intercept functions for a tracked Dynamic Link Library (DLL) function of a Dynamic Link Library (DLL) being loaded into the one or more suspicious modules; and
determining whether said tracked DLL function is invoked, wherein upon a determination that said tracked DLL function is invoked, said method further comprising;
determining whether a return address of a caller of said tracked DLL function is within a legitimate return address range that corresponds to non-suspicious modules to determine whether said tracked DLL function is being directly called from said one or more suspicious modules, wherein in no legitimate event should said tracked DLL function be called directly from said one or more suspicious modules, said legitimate return address range comprising address ranges of said intercept functions, said legitimate return address range excluding address ranges of said one or more suspicious modules, and wherein said legitimate return address memory range comprises address ranges of said non-suspicious modules; and
dynamically updating said legitimate return address range, that corresponds to said non-suspicious modules and said intercept functions, when said non-suspicious modules and said intercept functions are created and terminated.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes creating an intercept function for a tracked DLL function of a DLL being loaded into a suspicious module. Upon a determination that the tracked DLL function is invoked, a determination is made as to whether a return address of a caller of the tracked DLL function is within a legitimate return address range. The legitimate return address range includes an address range of the intercept function and excludes an address range of the suspicious module. If the return address is within the suspicious module, the suspicious module called the tracked DLL function directly. This indicates that the suspicious module is malicious and so protective action is taken.
28 Citations
18 Claims
-
1. A computer-implemented method comprising:
-
determining that one or more modules to be loaded into a process is suspicious, the determination of suspiciousness depending on one or more user-configurable factors, the determination resulting in one or more suspicious modules; creating intercept functions for a tracked Dynamic Link Library (DLL) function of a Dynamic Link Library (DLL) being loaded into the one or more suspicious modules; and determining whether said tracked DLL function is invoked, wherein upon a determination that said tracked DLL function is invoked, said method further comprising; determining whether a return address of a caller of said tracked DLL function is within a legitimate return address range that corresponds to non-suspicious modules to determine whether said tracked DLL function is being directly called from said one or more suspicious modules, wherein in no legitimate event should said tracked DLL function be called directly from said one or more suspicious modules, said legitimate return address range comprising address ranges of said intercept functions, said legitimate return address range excluding address ranges of said one or more suspicious modules, and wherein said legitimate return address memory range comprises address ranges of said non-suspicious modules; and dynamically updating said legitimate return address range, that corresponds to said non-suspicious modules and said intercept functions, when said non-suspicious modules and said intercept functions are created and terminated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system comprising:
-
a memory having stored therein a code module operating system (OS) interactions intercepting application; and a processor coupled to said memory, wherein execution of said code module OS interactions intercepting application generates a method comprising; determining that one or more modules to be loaded into a process is suspicious, the determination of suspiciousness depending on one or more user-configurable factors, the determination resulting in one or more suspicious modules; creating intercept functions for a tracked Dynamic Link Library (DLL) function of a Dynamic Link Library (DLL) being loaded into the one or more suspicious modules; and determining whether said tracked DLL function is invoked, wherein upon a determination that said tracked DLL function is invoked, said method further comprising; determining whether a return address of a caller of said tracked DLL function is within a legitimate return address range that corresponds to non-suspicious modules to determine whether said tracked DLL function is being directly called from said one or more suspicious modules, wherein in no legitimate event should said tracked DLL function be called directly from said one or more suspicious modules, said legitimate return address range comprising address ranges of said intercept functions, said legitimate return address range excluding address ranges of said one or more suspicious modules, and wherein said legitimate return address memory range comprises address ranges of said non-suspicious modules; and dynamically updating said legitimate return address range, that corresponds to said non-suspicious modules and said intercept functions, when said non-suspicious modules and said intercept functions are created and terminated.
-
-
18. A computer-program product comprising a tangible non-transitory computer readable storage medium containing computer program code comprising:
-
a code module operating system (OS) interactions intercepting application for, determining that one or more modules to be loaded into a process is suspicious, the determination of suspiciousness depending on one or more user-configurable factors, the determination resulting in one or more suspicious modules, the code module further for creating intercept functions for a tracked Dynamic Link Library (DLL) function of a Dynamic Link Library (DLL) being loaded into the one or more suspicious modules; and said code module OS interactions intercepting application further for determining whether said tracked DLL function is invoked, wherein upon a determination that said tracked DLL function is invoked, said code module OS interactions intercepting application further for; determining whether a return address of a caller of said tracked DLL function is within a legitimate return address range that corresponds to non-suspicious modules to determine whether said tracked DLL function is being directly called from said one or more suspicious modules, wherein in no legitimate event should said tracked DLL function be called directly from said one or more suspicious modules, said legitimate return address range comprising address ranges of said intercept functions, said legitimate return address range excluding address ranges of said one or more suspicious module, and wherein said legitimate return address memory range comprises address ranges of said non-suspicious modules; and dynamically updating said legitimate return address range, that corresponds to said non-suspicious modules and said intercept functions, when said non-suspicious modules and said intercept functions are created and terminated.
-
Specification