Computer system and method for preventing dynamic-link library injection attack
First Claim
Patent Images
1. A computer system comprising:
- a monitoring unit configured to monitor an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring unit comprising a connection checking unit configured to determine that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the created thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and
an intercept unit configured to intercept the dynamic link of theexecutable code library in response to the injection operation occurring,wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is a name of the executable code library,wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system and method for preventing a Dynamic-Link Library (DLL) injection attack are provided. The computer system monitors an operation where a process attempts to dynamically link an executable code library to another process, and intercepts the dynamic link of the executable code library.
37 Citations
15 Claims
-
1. A computer system comprising:
-
a monitoring unit configured to monitor an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring unit comprising a connection checking unit configured to determine that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the created thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and an intercept unit configured to intercept the dynamic link of the executable code library in response to the injection operation occurring, wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is a name of the executable code library, wherein the connection checking unit further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of preventing a library injection attack in a computer system, the method comprising:
-
monitoring an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring comprising determining that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the created thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and intercepting the dynamic link of the executable code library in response to the injection operation occurring, wherein the monitoring further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium storing a program to cause a processor to execute a method of preventing a library injection attack in a computer system, the method comprising:
-
monitoring an injection operation by which a first process attempts to dynamically link an executable code library to a second process, the monitoring comprising determining that the injection operation occurs by determining that the first process attempts to create a thread in the second process, and by determining that a function of the thread that is yet to be executed by the second process, will cause the second process to load the executable code library to the second process; and intercepting the link of the executable code library in response to the injection operation occurring, wherein the monitoring further checks whether the second process differs from the first process and whether a parameter of the function to be executed by the thread is name of the executable code library. - View Dependent Claims (15)
-
Specification