Hooking nonexported functions by the offset of the function

US 8,484,753 B2
Filed: 12/02/2009
Issued: 07/09/2013
Est. Priority Date: 12/02/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

identifying that a binary executable in a host computer memory includes a nonexported function with a particular vulnerability, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;

accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing the nonexported function within the binary executable; and

modifying instructions at the second memory location to route a code path to a host protection processor.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier.

Citations

13 Claims

1. A computer-implemented method, comprising:
- identifying that a binary executable in a host computer memory includes a nonexported function with a particular vulnerability, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;
  
  accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing the nonexported function within the binary executable; and
  
  modifying instructions at the second memory location to route a code path to a host protection processor.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the nonexported function is called by an exported function.
  - 3. The method of claim 1, wherein accessing offset data comprises:
    - identifying a hash ID that uniquely identifies the binary executable; and
      
      identifying an offset associated with the binary executable based on the hash ID.
  - 4. The method of claim 1, wherein the offset data further comprises a version string for the binary executable.
  - 5. The method of claim 1, wherein the offset data further comprises a byte pattern adjacent to the offset.

6. A computer-implemented method, comprising:
- analyzing, using at least one processor device, a reference file generated for a binary executable determined to have a particular vulnerability, the reference file containing a representation of instructions that are in the binary executable;
  
  identifying a unique identifier for the binary executable;
  
  locating a nonexported function corresponding to the particular vulnerability in the binary executable from the analysis of the reference file;
  
  determining an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable; and
  
  generating offset data that includes the offset and the unique identifier.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the reference file is a symbol file.
  - 8. The method of claim 6, wherein the offset data further comprises a version string for the binary executable.
  - 9. The method of claim 6, wherein the offset data further comprises a byte pattern adjacent to the offset.

10. A system, comprising:
- a processor device;
  
  a memory element; and
  
  a file analyzer configured, when executed by the processor device, to analyze a reference file generated for a binary executable determined to have a particular vulnerability, the reference file comprising a representation of instructions that are in the binary executable;
  
  locate a nonexported function corresponding to the particular vulnerability in the reference file; and
  
  determine an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable.

11. A system, comprising:
- a host computer memory configured to store data for a computer;
  
  a hook by offset engine that performs operations comprising;
  
  identifying that a binary executable in a host computer memory includes a nonexported function with a particular vulnerability, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;
  
  accesses offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location storing the nonexported function within the binary executable; and
  
  modifies instructions at the second memory location to route a code path to a host protection processor.a host protection processor that performs operations comprising;
  
  determining whether execution of the nonexported function would result in exploitation of the particular vulnerability; and
  
  determining whether to allow execution of the nonexported function
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein determining whether execution of the nonexported function would result in exploitation of the particular vulnerability includes monitoring for attempts to exploit the particular vulnerability.
  - 13. The system of claim 11, wherein the host protection process is adapted to prevent the execution of the nonexported function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Nojiri, Daisuke
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
SHEHNI, GHAZAL B

Application Number

US12/629,330
Publication Number

US 20110131657A1
Time in Patent Office

1,315 Days
Field of Search

726 26- 30, 713/187
US Class Current

726/30
CPC Class Codes

G06F 21/54 by adding security routines...

G06F 21/566 Dynamic detection, i.e. det...

Hooking nonexported functions by the offset of the function

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Hooking nonexported functions by the offset of the function

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links