Methods of detection of software exploitation
First Claim
1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
- gathering information about processes and threads executing on a computing device;
monitoring instructions executed by a thread that is currently running; and
performing the following steps when a function to create a process or a function to load a library is called;
examining a thread information block,determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block,examining the contents of a plurality of memory addresses,determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions, anddisplaying a message to a user that a possible software exploit has been detected when the address included in the stack pointer is not in the range of stack addresses.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.
29 Citations
5 Claims
-
1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation, wherein the program instructs a processing element to perform the following steps:
-
gathering information about processes and threads executing on a computing device; monitoring instructions executed by a thread that is currently running; and performing the following steps when a function to create a process or a function to load a library is called; examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, examining the contents of a plurality of memory addresses, determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions, and displaying a message to a user that a possible software exploit has been detected when the address included in the stack pointer is not in the range of stack addresses. - View Dependent Claims (2, 3, 4, 5)
-
Specification