System and method for intercepting process creation events

US 8,650,578 B1
Filed: 02/27/2012
Issued: 02/11/2014
Est. Priority Date: 11/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method of controlling processes, the method comprising:

injecting an interceptor into an operating system process associated with new process registration;

detecting, with the interceptor, registration of a new process with the operating system process;

in response to said detecting registration of the new process, using the interceptor to discover identification information associated with the new process;

determining whether the identification information associated with the new process corresponds to a program that is to be controlled;

controlling the new process in response to determining that the new process is to be controlled, wherein said controlling comprises one of the following;

preventing the new process from executing or limiting the new process; and

wherein said controlling the new process comprises changing access rights of the new process from administrator rights to non-administrator rights;

wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting creation of a program instance includes an interceptor routine that obtains a parameter corresponding to a characteristic of a program instance and an interceptor module that can be injected into a native operating system process. In certain examples, the interceptor module can replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process can call the interceptor routine in place of the selected routine. Additionally, the system can include a comparison module that compares the parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs. The system can also include a security module that can modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program.

Citations

16 Claims

1. A method of controlling processes, the method comprising:
- injecting an interceptor into an operating system process associated with new process registration;
  
  detecting, with the interceptor, registration of a new process with the operating system process;
  
  in response to said detecting registration of the new process, using the interceptor to discover identification information associated with the new process;
  
  determining whether the identification information associated with the new process corresponds to a program that is to be controlled;
  
  controlling the new process in response to determining that the new process is to be controlled, wherein said controlling comprises one of the following;
  
  preventing the new process from executing or limiting the new process; and
  
  wherein said controlling the new process comprises changing access rights of the new process from administrator rights to non-administrator rights;
  
  wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said injecting the interceptor comprises injecting a thread into the operating system process.
  - 3. The method of claim 1, wherein the identification information is selected from the group consisting of:
    - a name of the new process, a process identifier (PID), a name of an executable for the new process, a file location where an executable for the new process is stored, an identifier of a thread of the new process, and a security token.
  - 4. The method of claim 1, wherein said changing the access rights to non-administrator rights is configured to prevent the new process from executing.
  - 5. The method of claim 1, wherein said controlling the new process comprises replacing the new process with a second process having at least some parameters of the new process, thereby preventing a user from using the new process maliciously.
  - 6. The method of claim 1, wherein the operating system process is a Client/Server Runtime Subsystem Service (csrss.exe) process in a Microsoft Windows®
    - operating system.
  - 7. The method of claim 1, wherein the operating system process is a Local Security Authority Subsystem Service (lsass.exe) process in a Microsoft Windows®
    - operating system.
  - 8. The method of claim 1, wherein one or more of said injecting, detecting, using, determining, and controlling is implemented by a computer system comprising computer hardware.

9. A system for controlling processes, the system comprising:
- one or more computer processors comprising computer hardware;
  
  an interceptor executing via the one or more computer processors,the interceptor configured to be injected into an operating system process responsible for process registration, detect registration of a new process by the operating system process, and discover identification information associated with the new process;
  
  a comparison module executing via the one or more computer processors, the comparison module configured to determine whether the identification information associated with the new process corresponds to a program that is to be controlled;
  
  a security module executing via the one or more computer processors, the security module configured to control the new process in response to determining that the new process is to be controlled, by at least performing one of the following;
  
  preventing the new process from executing or limiting the new process; and
  
  wherein the security module is further configured to control the new process by at least changing access rights of the new process from administrator rights to non-administrator rights;
  
  wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the interceptor is further configured to inject the interceptor by at least injecting a thread into the operating system process.
  - 11. The system of claim 9, wherein the the identification information is selected from the group consisting of:
    - a name of the new process, a process identifier (PID), a name of an executable for the new process, a file location where an executable for the new process is stored, an identifier of a thread of the new process, and a security token.
  - 12. The system of claim 9, wherein by changing the access rights to non-administrator rights, the security module is configured to prevent the new process from executing.
  - 13. The system of claim 9, wherein the security module is further configured to control the new process by at least replacing the new process with a second process having at least some parameters of the new process, thereby preventing a user from using the new process maliciously.

14. Non-transitory physical computer storage comprising instructions stored thereon that, when executed in one or more processors, cause the one or more processors to implement a system for controlling processes, the system comprising:
- an interceptor configured to be injected into an operating system process responsible for process registration, detect registration of a new process by the operating system process, and identify identification information associated with the new process;
  
  a comparison module configured to determine whether the identification information associated with the new process corresponds to a program that is to be controlled; and
  
  a security module configured to control the new process in response to determining that the new process is to be controlled, by at least performing one of the following;
  
  preventing the new process from executing or limiting the new process; and
  
  wherein the security module is further configured to control the new process by at least changing access rights of the new process from administrator rights to non-administrator rights;
  
  wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites.
- View Dependent Claims (15, 16)
- - 15. The non-transitory physical computer storage of claim 14, wherein the identification information is selected from the group consisting of:
    - a name of the new process, a process identifier (PID), a name of an executable for the new process, a file location where an executable for the new process is stored, an identifier of a thread of the new process, and a security token.
  - 16. The non-transitory physical computer storage of claim 14, wherein by changing the access rights, the security module is configured to prevent the new process from executing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Binotto, Alessandro, Gostev, Anton, Andreyev, Ivan Sergeevich, Artyom, Agafonov
Primary Examiner(s)
Truong, Lechi

Application Number

US13/406,305
Time in Patent Office

715 Days
Field of Search

719/310, 714/100
US Class Current

719/310
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 2209/542   Intercept

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/54   Interprogram communication

G06F 9/545   where tasks reside in diffe...

System and method for intercepting process creation events

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for intercepting process creation events

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links