Hooking nonexported functions by the offset of the function
First Claim
Patent Images
1. A computer-implemented method, comprising:
- identifying that a binary executable in a host computer memory includes a nonexported function with a particular vulnerability, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;
accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing the nonexported function within the binary executable; and
modifying instructions at the second memory location to route a code path to a host protection processor.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier.
-
Citations
13 Claims
-
1. A computer-implemented method, comprising:
-
identifying that a binary executable in a host computer memory includes a nonexported function with a particular vulnerability, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location; accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing the nonexported function within the binary executable; and modifying instructions at the second memory location to route a code path to a host protection processor. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
analyzing, using at least one processor device, a reference file generated for a binary executable determined to have a particular vulnerability, the reference file containing a representation of instructions that are in the binary executable; identifying a unique identifier for the binary executable; locating a nonexported function corresponding to the particular vulnerability in the binary executable from the analysis of the reference file; determining an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable; and generating offset data that includes the offset and the unique identifier. - View Dependent Claims (7, 8, 9)
-
-
10. A system, comprising:
-
a processor device; a memory element; and a file analyzer configured, when executed by the processor device, to analyze a reference file generated for a binary executable determined to have a particular vulnerability, the reference file comprising a representation of instructions that are in the binary executable;
locate a nonexported function corresponding to the particular vulnerability in the reference file; and
determine an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable.
-
-
11. A system, comprising:
-
a host computer memory configured to store data for a computer; a hook by offset engine that performs operations comprising; identifying that a binary executable in a host computer memory includes a nonexported function with a particular vulnerability, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location; accesses offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location storing the nonexported function within the binary executable; and modifies instructions at the second memory location to route a code path to a host protection processor. a host protection processor that performs operations comprising; determining whether execution of the nonexported function would result in exploitation of the particular vulnerability; and determining whether to allow execution of the nonexported function - View Dependent Claims (12, 13)
-
Specification