Computer system and method for preventing dynamic-link library injection attack

US 8,966,511 B2
Filed: 09/20/2010
Issued: 02/24/2015
Est. Priority Date: 01/18/2010
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a monitoring unit configured to monitor an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring unit comprising a connection checking unit configured to determine that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the created thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and

an intercept unit configured to intercept the dynamic link of theexecutable code library in response to the injection operation occurring,wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is a name of the executable code library,wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system and method for preventing a Dynamic-Link Library (DLL) injection attack are provided. The computer system monitors an operation where a process attempts to dynamically link an executable code library to another process, and intercepts the dynamic link of the executable code library.

37 Citations

View as Search Results

15 Claims

1. A computer system comprising:
- a monitoring unit configured to monitor an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring unit comprising a connection checking unit configured to determine that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the created thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and
  
  an intercept unit configured to intercept the dynamic link of theexecutable code library in response to the injection operation occurring,wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is a name of the executable code library,wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer system of claim 1, wherein the monitoring unit further comprises a call determination unit configured to determine whether a thread creation function is called, andthe parameter of the function is obtained by function hooking at a point in time when the thread creation function is called.
  - 3. The computer system of claim 1, wherein the intercept unit comprises:
    - a termination unit configured to terminate a thread that is created in association with the injection operation.
  - 4. The computer system of claim 1, wherein the intercept unit terminates a thread created in association with the injection operation and intercepts the link.
  - 5. The computer system of claim 1, further comprising:
    - an interface unit to receive a user'"'"'s input and to determine whether to operate the monitoring unit based on the user'"'"'s input.
  - 6. The computer system of claim 1, further comprising:
    - an interface unit to output information about an occurrence of the injection operation using an output device.
  - 7. The computer system of claim 1, wherein the executable code library comprises a Dynamic Link Library (DLL) and the injection operation comprises a DLL injection.

8. A method of preventing a library injection attack in a computer system, the method comprising:
- monitoring an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring comprising determining that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the created thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and
  
  intercepting the dynamic link of the executable code library in response to the injection operation occurring,wherein the monitoring further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the monitoring further comprises determining whether a thread creation function is called, andthe parameter of the function is obtained by function hooking at a point in time when the thread creation function is called.
  - 10. The method of claim 8, wherein the intercepting comprises terminating a thread that is created in association with the injection operation.
  - 11. The method of claim 8, wherein the intercepting comprises terminating a thread created in association with the injection operation, and intercepting the link.
  - 12. The method of claim 8, further comprising:
    - determining whether to monitor the injection operation based on a user'"'"'s input.
  - 13. The method of claim 8, further comprising:
    - outputting information concerning an occurrence of the injection operation using an output device.

14. A non-transitory computer-readable storage medium storing a program to cause a processor to execute a method of preventing a library injection attack in a computer system, the method comprising:
- monitoring an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring comprising determining that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and
  
  intercepting the link of the executable code library in response to the injection operation occurring,wherein the monitoring further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library.
- View Dependent Claims (15)
- - 15. The computer readable storage medium of claim 14, wherein the monitoring further comprises determining whether a thread creation function is called, andthe parameter of the function is obtained by function hooking at a point in time when the thread creation function is called.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Kim, Eun Ah, Jin, Weon Il, Kim, Hwan Joon
Primary Examiner(s)
Anya, Charles E

Application Number

US12/885,695
Publication Number

US 20110179430A1
Time in Patent Office

1,618 Days
Field of Search

719/331, 726/22, 726/26
US Class Current

719/331
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 9/44521 Dynamic linking or loading;...

Computer system and method for preventing dynamic-link library injection attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system and method for preventing dynamic-link library injection attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links