Code injection prevention

US 8,769,672 B2
Filed: 08/04/2006
Issued: 07/01/2014
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of preventing code injection in an operating system, the method comprising:

establishing a hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request;

directing a request sent to the kernel mode OS system call to a checking module, the checking module being run in a kernel mode, wherein the request originates from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process;

determining a process identifier of the target process;

determining a process identifier of the first program that initiated the request;

querying a process database to verify whether the process identifier of the target process and the process identifier of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and

upon determining that the process identifier of the target process is different than the process identifier of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, denying the request.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer program product and system for preventing code injection in an operating system. The method 300 includes a checking module 340 hooking a kernel mode OS system call 330 and a request 315 sent to the kernel mode OS system call 330 being directed to the checking module 340. The checking module 340 queries 345 a process database 350 and the checking module 340 then allows or denies the request 315 based on a response from the process database 350.

12 Citations

View as Search Results

8 Claims

1. A computer-implemented method of preventing code injection in an operating system, the method comprising:
- establishing a hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request;
  
  directing a request sent to the kernel mode OS system call to a checking module, the checking module being run in a kernel mode, wherein the request originates from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process;
  
  determining a process identifier of the target process;
  
  determining a process identifier of the first program that initiated the request;
  
  querying a process database to verify whether the process identifier of the target process and the process identifier of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and
  
  upon determining that the process identifier of the target process is different than the process identifier of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, denying the request.
- View Dependent Claims (2, 3)
- - 2. The method as claimed in claim 1, wherein the process database uses an algorithm to produce the response.
  - 3. The method as claimed in claim 1, wherein the request is allowed or denied before injected code is executed in an injected process.

4. A computer program product for preventing code injection in an operating system, the computer program product comprising a computer-readable storage device having instructions thereon, the instructions comprising:
- code programmed to establish a hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request;
  
  code programmed to receive a request sent to the kernel mode OS system call, the checking module being run in a kernel mode, wherein the request originated from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process;
  
  code programmed to determine a process identifier (ID) of the target process;
  
  code programmed to determine a process identifier of the first program that initiated the request;
  
  code programmed to query a process database to verify whether the process identifier (ID) of the target process and the process identifier (ID) of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and
  
  code programmed to receive a response from the process database; and
  
  upon determining that the process identifier (ID) of the target process is different than the process identifier (ID) of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, code programmed to deny the request.
- View Dependent Claims (5, 6, 7)
- - 5. The computer program product as claimed in claim 4, wherein the computer program product is a kernel driver.
  - 6. The computer program product as claimed in claim 4, wherein the process ID of the target process of the request is obtained using a query information function with a process information class.
  - 7. The computer program product as claimed in claim 6, wherein a process ID of a process that initiated the write to memory operation is obtained using a get current process ID function.

8. A system for preventing code injection in an operating system, the system comprising:
- (1) at least one memory to store a process database; and
  
  ,(2) a processor, in communication with the at least one memory, the processor configured to;
  
  (a) establish hook to intercept requests for a kernel mode operating system (OS) system call, wherein hooking the kernel mode OS system call comprises replacing a function pointer corresponding to the request;
  
  (b) receive a request sent to the kernel mode OS system call, the checking module being run in a kernel mode, wherein the request originates from a first program, the first program being a kernel mode program, and wherein the request is directed to a target process;
  
  (c) determine a process identifier of the target process;
  
  (d) determine a process identifier of the first program that initiated the request;
  
  (e) query the process database to verify whether the process identifier of the target process and the process identifier of the first program are the same, wherein the process database is updated whenever a process create event or a process delete event is signaled from the operating system; and
  
  (f) receive a response from the process database; and
  
  (g) upon determining that the process identifier of the target process is different than the process identifier of the first program that is stored in the process database and upon determining that the request is a write to process memory operation of the target process, deny the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Park, Seung Bae
Primary Examiner(s)
LEE, JASON T

Application Number

US11/499,209
Publication Number

US 20080040800A1
Time in Patent Office

2,888 Days
Field of Search

726/22, 726/2, 726/26, 713/164
US Class Current

726/22
CPC Class Codes

G06F 21/562   Static detection

G06F 21/57   Certifying or maintaining t...

G06F 21/572   Secure firmware programming...

Code injection prevention

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Code injection prevention

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links