Code injection prevention
First Claim
Patent Images
1. A computer-implemented method of preventing code injection in an operating system, the method comprising:
- establishing a hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request;
directing a request sent to the kernel mode OS system call to a checking module, the checking module being run in a kernel mode, wherein the request originates from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process;
determining a process identifier of the target process;
determining a process identifier of the first program that initiated the request;
querying a process database to verify whether the process identifier of the target process and the process identifier of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and
upon determining that the process identifier of the target process is different than the process identifier of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, denying the request.
6 Assignments
0 Petitions
Accused Products
Abstract
A method, computer program product and system for preventing code injection in an operating system. The method 300 includes a checking module 340 hooking a kernel mode OS system call 330 and a request 315 sent to the kernel mode OS system call 330 being directed to the checking module 340. The checking module 340 queries 345 a process database 350 and the checking module 340 then allows or denies the request 315 based on a response from the process database 350.
12 Citations
8 Claims
-
1. A computer-implemented method of preventing code injection in an operating system, the method comprising:
-
establishing a hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request; directing a request sent to the kernel mode OS system call to a checking module, the checking module being run in a kernel mode, wherein the request originates from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process; determining a process identifier of the target process; determining a process identifier of the first program that initiated the request; querying a process database to verify whether the process identifier of the target process and the process identifier of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and upon determining that the process identifier of the target process is different than the process identifier of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, denying the request. - View Dependent Claims (2, 3)
-
-
4. A computer program product for preventing code injection in an operating system, the computer program product comprising a computer-readable storage device having instructions thereon, the instructions comprising:
-
code programmed to establish a hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request; code programmed to receive a request sent to the kernel mode OS system call, the checking module being run in a kernel mode, wherein the request originated from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process; code programmed to determine a process identifier (ID) of the target process; code programmed to determine a process identifier of the first program that initiated the request; code programmed to query a process database to verify whether the process identifier (ID) of the target process and the process identifier (ID) of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and code programmed to receive a response from the process database; and upon determining that the process identifier (ID) of the target process is different than the process identifier (ID) of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, code programmed to deny the request. - View Dependent Claims (5, 6, 7)
-
-
8. A system for preventing code injection in an operating system, the system comprising:
-
(1) at least one memory to store a process database; and
,(2) a processor, in communication with the at least one memory, the processor configured to; (a) establish hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request; (b) receive a request sent to the kernel mode OS system call, the checking module being run in a kernel mode, wherein the request originates from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process; (c) determine a process identifier of the target process; (d) determine a process identifier of the first program that initiated the request; (e) query the process database to verify whether the process identifier of the target process and the process identifier of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and (f) receive a response from the process database; and (g) upon determining that the process identifier of the target process is different than the process identifier of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, deny the request.
-
Specification