Method of and system for malicious software detection using critical address space protection
First Claim
Patent Images
1. A method comprising:
- identifying particular code executing on a computer system and attempting to access a particular predetermined memory address of the computer system, wherein the predetermined memory address is associated with known access attempts by malicious code;
determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address;
identifying the particular code as malicious based, at least in part, on determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious;
generating an indicator to identify that the particular code was identified as malicious;
temporarily configuring the computer system to allow single stepping of the particular code following the exception; and
causing single stepping of the particular code.
11 Assignments
0 Petitions
Accused Products
Abstract
A method of identifying malicious code based on identifying software executing out of writable memory of the computer system. In one embodiment, the identification of the malicious code occurs when the code accesses a predetermined memory address. This address can reside in the address space of an application, a library, or an operating system component. In one embodiment, the access to the predetermined address generates an exception invoking exception handling code. The exception handling code checks the memory attributes of the code that caused the exception and determines whether the code was running in writeable memory.
-
Citations
22 Claims
-
1. A method comprising:
-
identifying particular code executing on a computer system and attempting to access a particular predetermined memory address of the computer system, wherein the predetermined memory address is associated with known access attempts by malicious code; determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address; identifying the particular code as malicious based, at least in part, on determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious; generating an indicator to identify that the particular code was identified as malicious; temporarily configuring the computer system to allow single stepping of the particular code following the exception; and causing single stepping of the particular code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer processing system comprising:
-
memory; a processing component programmed to execute; and an application, adapted when executed by the processing component to perform operations comprising; identifying particular code executing on a computer system, wherein the particular code attempts to access a particular predetermined memory address of the computer system, wherein the particular predetermined memory address is associated with known access attempts by malicious code; determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address; and identifying the particular code as malicious based, at least in part, determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious; generating an indicator to identify that the particular code was identified as malicious; temporarily configuring the computer system to allow single stepping of the particular code following the exception; and causing single stepping of the particular code. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An article comprising a non-transitory, machine-readable storage device storing instructions operable to cause at least one processor to perform operations comprising:
-
identifying particular code executing on a computer system and attempting to access a particular predetermined memory address of the computer system, wherein the predetermined memory address is associated with known access attempts by malicious code; determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address; identifying the particular code as malicious based, at least in part, on determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious; generating an indicator to identify that the particular code was identified as malicious; temporarily configuring the computer system to allow single stepping of the particular code following the exception; and causing single stepping of the particular code. - View Dependent Claims (21, 22)
-
Specification