Methods of detection of software exploitation
First Claim
1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes and threads executing on a computing device;
monitoring instructions executed by a thread that is currently running; and
performing the following steps when a function to create a process or a function to load a library is called;
examining a thread information block,determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block,examining the contents of a plurality of memory addresses,determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions, anddisplaying a message to a user that a possible software exploit has been detected when the address included in the stack pointer is not in the range of stack addresses.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.
29 Citations
5 Claims
-
1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes and threads executing on a computing device; monitoring instructions executed by a thread that is currently running; and performing the following steps when a function to create a process or a function to load a library is called; examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, examining the contents of a plurality of memory addresses, determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions, and displaying a message to a user that a possible software exploit has been detected when the address included in the stack pointer is not in the range of stack addresses. - View Dependent Claims (2, 3, 4, 5)
-
Specification
-
- Resources
-
Current AssigneeESET, spol. s.r.o.
-
Original AssigneeESET, spol. s.r.o.
-
InventorsMirski, Pawel, Hlavaty, Peter, Kosinar, Peter
-
Primary Examiner(s)Patel, Haresh N
-
Application NumberUS13/942,385Publication NumberTime in Patent Office561 DaysField of Search726 22- 27, 709217-224US Class Current726/23CPC Class CodesG06F 21/56 Computer malware detection ...G06F 21/566 Dynamic detection, i.e. det...G06F 2221/033 Test or assess software
