Method of and system for malicious software detection using critical address space protection

US 8,515,075 B1
Filed: 01/29/2009
Issued: 08/20/2013
Est. Priority Date: 01/31/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying particular code executing on a computer system and attempting to access a particular predetermined memory address of the computer system, wherein the predetermined memory address is associated with known access attempts by malicious code;

determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address;

identifying the particular code as malicious based, at least in part, on determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious;

generating an indicator to identify that the particular code was identified as malicious;

temporarily configuring the computer system to allow single stepping of the particular code following the exception; and

causing single stepping of the particular code.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of identifying malicious code based on identifying software executing out of writable memory of the computer system. In one embodiment, the identification of the malicious code occurs when the code accesses a predetermined memory address. This address can reside in the address space of an application, a library, or an operating system component. In one embodiment, the access to the predetermined address generates an exception invoking exception handling code. The exception handling code checks the memory attributes of the code that caused the exception and determines whether the code was running in writeable memory.

Citations

22 Claims

1. A method comprising:
- identifying particular code executing on a computer system and attempting to access a particular predetermined memory address of the computer system, wherein the predetermined memory address is associated with known access attempts by malicious code;
  
  determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address;
  
  identifying the particular code as malicious based, at least in part, on determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious;
  
  generating an indicator to identify that the particular code was identified as malicious;
  
  temporarily configuring the computer system to allow single stepping of the particular code following the exception; and
  
  causing single stepping of the particular code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the particular predetermined memory address is within a memory address space of data structures describing an application, a library, or an operating system component or their associated data.
  - 3. The method of claim 2, wherein the particular predetermined memory address is within the memory address space of a process environment block, an import table, an export table, a procedure linkage table, global offset table, program header, library header, or section header.
  - 4. The method of claim 3, further comprising terminating execution of a process, a thread, or an application associated with the particular code that caused the exception.
  - 5. The method of claim 1, whereindetermining that the particular code executes from writable memory space of the computer system is in response to identifying that the particular code accesses the particular predetermined memory address.
  - 6. The method of claim 5, wherein the computer system comprises configurable hardware adapted to control memory attributes of computer system memory and generate the exception upon access to a range of memory addresses that includes the particular predetermined memory address.
  - 7. The method of claim 5, further comprising terminating execution of a process, a thread, or an application associated with the particular code that caused the exception.
  - 8. The method of claim 5 further comprising resuming execution of the particular code from a location at which the exception was generated.
  - 9. The method of claim 8, wherein temporarily configuring the computer system comprises:
    - configuring a processor associated with the computer processing system to execute the particular code at an instruction that caused the exception;
      
      configuring an attribute of the particular predetermined memory address to a memory attribute that does not generate an exception when the processor executes the particular code that referenced the particular predetermined memory address;
      
      configuring the attribute of the particular predetermined memory address the particular predetermined memory address attribute to an exception attribute; and
      
      continuing processor execution at a next instruction following the particular code that referenced the particular predetermined memory address.
  - 10. The method of claim 8, wherein the particular predetermined memory address is not referenced by non-malicious code after initialization of the application, the library, or the operating system component.

11. A computer processing system comprising:
- memory;
  
  a processing component programmed to execute; and
  
  an application, adapted when executed by the processing component to perform operations comprising;
  
  identifying particular code executing on a computer system, wherein the particular code attempts to access a particular predetermined memory address of the computer system, wherein the particular predetermined memory address is associated with known access attempts by malicious code;
  
  determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address; and
  
  identifying the particular code as malicious based, at least in part, determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious;
  
  generating an indicator to identify that the particular code was identified as malicious;
  
  temporarily configuring the computer system to allow single stepping of the particular code following the exception; and
  
  causing single stepping of the particular code.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer processing system of claim 11, wherein the particular predetermined memory address is within an address space of data structures describing an application, a library, or an operating system component or their associated data.
  - 13. The computer processing system of claim 12, wherein the particular predetermined memory address is within the memory address space of a process environment block, an import table, an export table, a procedure linkage table, global offset table, program header, library header, or section header.
  - 14. The computer processing system of claim 13, wherein the application is adapted to perform further operations comprising terminating execution of a process, a thread, or an application associated with the code that caused the exception.
  - 15. The computer processing system of claim 11, wherein the application comprises:
    - the exception handler software invoked upon access to a memory address range including the particular predetermined memory address;
      
      software to determine whether an attempted access was to the particular predetermined memory address;
      
      and software to determine that code executes from writable memory.
  - 16. The computer processing system of claim 15, wherein the computer processing system further comprises configurable hardware for controlling memory attributes of computer system memory configurable to generate an exception upon access to a range of memory addresses that includes the particular predetermined memory address.
  - 17. The computer processing system of claim 15, further comprising terminating execution of a process, a thread, or an application associated with the particular code that caused the exception.
  - 18. The computer processing system of claim 15, wherein the application is further adapted to resume execution of the particular code from a location at which the exception was generated.
  - 19. The computer processing system of claim 18, wherein temporarily configuring the computer system comprises:
    - configuring a processor associated with the computer processing system to execute the particular code at an instruction that caused the exception;
      
      configuring an attribute of the particular predetermined memory address to a memory attribute that does not generate an exception when the processor executes the particular code that referenced the particular predetermined memory address;
      
      configuring the attribute of the particular predetermined memory address the particular predetermined memory address attribute to an exception attribute; and
      
      continuing processor execution at a next instruction following the particular code that referenced the particular predetermined memory address.

20. An article comprising a non-transitory, machine-readable storage device storing instructions operable to cause at least one processor to perform operations comprising:
- identifying particular code executing on a computer system and attempting to access a particular predetermined memory address of the computer system, wherein the predetermined memory address is associated with known access attempts by malicious code;
  
  determining, based on identifying that the particular code attempts to access the particular predetermined memory address, that the particular code executes from writable memory space of the computer system while attempting to access the particular predetermined memory address;
  
  identifying the particular code as malicious based, at least in part, on determination that the particular code attempts to access the particular predetermined memory address and executes from the writable memory space of the computer system, wherein an exception is to be generated that invokes an exception handler based at least in part on identifying the particular code as malicious;
  
  generating an indicator to identify that the particular code was identified as malicious;
  
  temporarily configuring the computer system to allow single stepping of the particular code following the exception; and
  
  causing single stepping of the particular code.
- View Dependent Claims (21, 22)
- - 21. The article of claim 20, wherein the particular predetermined memory address is within an address space of data structures describing an application, a library, or an operating system component or their associated data.
  - 22. The article of claim 20, wherein identifying the particular code as malicious comprises:
    - generating an exception that invokes an exception handler when the particular code accesses the particular predetermined memory address, and wherein the exception handler determines if the particular code executes from writable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Saraf, Suman, Agrawal, Sharad, Kumar, Pankaj
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US12/322,220
Time in Patent Office

1,664 Days
Field of Search

380/277, 380/211
US Class Current

380/277
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method of and system for malicious software detection using critical address space protection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method of and system for malicious software detection using critical address space protection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links