Detection of malicious modules injected on legitimate processes
First Claim
1. A computer-implemented method of detecting a malicious module in a computer, the method comprising:
- the computer enumerating a first set of dynamic link libraries (DLLs) needed by a process running in the computer to operate, enumerating a second set of DLLs needed by a DLL in the first set of DLLs to operate, and enumerating a third set of DLLs needed by another DLL in the second set of DLLs to operate, the first, second, and third sets of DLLs being enumerated while the process is already running in the computer;
the computer enumerating a fourth set of DLLs, the fourth set of DLLs comprising DLLs of the process and of other processes that are currently loaded in a main memory of the computer;
the computer identifying a first DLL that is in the fourth set of DLLs but not in any of the first, second, and third sets of DLLs; and
the computer deeming the first DLL as malicious when the first DLL does not include a function that the first DLL exports to be callable by another DLL or process running in the computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer includes modules that provide a shared library of functions callable by processes or other modules. A malicious module in the computer may be identified by enumerating modules needed by a process to operate. Modules currently loaded in the memory of the computer are also enumerated. A suspect or suspicious module may be identified as currently being loaded in the memory of the computer but not needed by a process to operate. The suspicious module may be deemed malicious (i.e., having malicious code, such as a computer virus) if the suspicious module does not export or provide a function for sharing to be called by other modules or process.
-
Citations
10 Claims
-
1. A computer-implemented method of detecting a malicious module in a computer, the method comprising:
-
the computer enumerating a first set of dynamic link libraries (DLLs) needed by a process running in the computer to operate, enumerating a second set of DLLs needed by a DLL in the first set of DLLs to operate, and enumerating a third set of DLLs needed by another DLL in the second set of DLLs to operate, the first, second, and third sets of DLLs being enumerated while the process is already running in the computer; the computer enumerating a fourth set of DLLs, the fourth set of DLLs comprising DLLs of the process and of other processes that are currently loaded in a main memory of the computer; the computer identifying a first DLL that is in the fourth set of DLLs but not in any of the first, second, and third sets of DLLs; and the computer deeming the first DLL as malicious when the first DLL does not include a function that the first DLL exports to be callable by another DLL or process running in the computer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer having main memory, a processor, and a data storage device, the computer comprising:
-
a plurality of processes running in the main memory; a plurality of dynamic-link libraries (DLLs) loaded from the data storage device and into the main memory, the plurality of DLLs being DLLs of the plurality of processes; and a malicious module detector comprising computer-readable program code loaded from the data storage device to run in the main memory, the malicious module detector being configured to enumerate a first set of DLLs referenced by a first process in the plurality of processes, enumerate a second set of DLLs referenced by a DLL in the first set of DLLs, enumerate a third set of DLLs referenced by another DLL in the second set of DLLs, and identify a first DLL in the plurality of DLLs but not in any of the first, second, and third sets of DLLs, wherein the first DLL does not have a function called by a first process in the plurality of processes and the malicious module detector is configured to deem the first DLL as malicious when the first DLL does not identify a function that the first DLL shares with another DLL or process running in the computer. - View Dependent Claims (7, 8, 9, 10)
-
Specification