Identifying malicious threads
First Claim
Patent Images
1. A computer-implemented method to terminate a malicious thread, the method executed by a data processing apparatus and comprising:
- identifying, in computer memory, a memory heap assigned to a particular computer process, the memory heap comprising a plurality of memory heap blocks;
determining that a particular one of the plurality of memory heap blocks is a malicious memory heap block added by a malicious source to the memory block assigned to the particular computer process;
identifying that one or more threads have a start address that resides within the malicious memory heap block, the one or more threads comprising a subset of a plurality of threads;
performing an analysis on each thread in the subset of threads based on each thread in the subset having a start address within the malicious memory heap block, to determine, for each of the threads in the subset, whether the thread is a malicious thread injected into the particular computer process by malware, the analysis comprising, for each of the threads in the subset, identifying a signature for the thread and comparing the signature for the thread to signatures of known malicious threads, the particular computer process comprising a non-malicious process, and at least one of the subset of threads is a non-malicious thread of the particular computer process; and
terminating threads in the subset of threads determined through the analysis to be malicious, where the at least one non-malicious thread is preserved.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying and processing malicious threads In one aspect, a method includes identifying a memory heap block; identifying threads that reside in the memory heap block; determining whether at least one of the identified threads in the memory heap block is a malicious thread; and in response to determining that at least one of the identified threads is a malicious thread, terminating each of the identified threads.
16 Citations
7 Claims
-
1. A computer-implemented method to terminate a malicious thread, the method executed by a data processing apparatus and comprising:
-
identifying, in computer memory, a memory heap assigned to a particular computer process, the memory heap comprising a plurality of memory heap blocks; determining that a particular one of the plurality of memory heap blocks is a malicious memory heap block added by a malicious source to the memory block assigned to the particular computer process; identifying that one or more threads have a start address that resides within the malicious memory heap block, the one or more threads comprising a subset of a plurality of threads; performing an analysis on each thread in the subset of threads based on each thread in the subset having a start address within the malicious memory heap block, to determine, for each of the threads in the subset, whether the thread is a malicious thread injected into the particular computer process by malware, the analysis comprising, for each of the threads in the subset, identifying a signature for the thread and comparing the signature for the thread to signatures of known malicious threads, the particular computer process comprising a non-malicious process, and at least one of the subset of threads is a non-malicious thread of the particular computer process; and terminating threads in the subset of threads determined through the analysis to be malicious, where the at least one non-malicious thread is preserved. - View Dependent Claims (2, 3)
-
-
4. At least one non-transitory computer storage medium encoded with instructions to terminate a malicious thread, where the instructions, when executed by data processing apparatus, cause the data processing apparatus to:
-
identify, in memory, a memory heap assigned to a particular computer process, the memory heap to comprise a plurality of memory heap blocks; determine that a particular one of the plurality of memory heap blocks is a malicious memory heap block added by a malicious source to the memory block assigned to the particular computer process; identify that one or more threads have a start address that resides within the malicious memory heap block, the one or more threads to comprise a subset of a plurality of threads; perform an analysis on each thread in the subset of threads based on each thread in the subset having a start address within the malicious memory heap block, to determine, for each of the threads in the subset, whether the thread is a malicious thread injected into the particular computer process by malware, the analysis comprising, for each of the threads in the subset, identifying a signature for the thread and comparing the signature for the thread to signatures of known malicious threads, where the particular computer process is a non-malicious process, and at least one of the subset of threads is a non-malicious thread of the particular computer process; and terminate threads in the subset of threads determined through the analysis to be malicious, where the at least one non-malicious thread is to be preserved. - View Dependent Claims (5, 6)
-
-
7. A system comprising:
-
at least one data processing apparatus; at least one computer memory device; and protection code to terminate a malicious thread, the protection code executable by the at least one data processing apparatus to; identify, in memory, a memory heap assigned to a particular computer process, the memory heap comprising a plurality of memory heap blocks; determine that a particular one of the plurality of memory heap blocks is a malicious memory heap block added by a malicious source to the memory block assigned to the particular computer process; identify that one or more threads have a start address that resides within the malicious memory heap block, the one or more threads comprising a subset of a plurality of threads; perform an analysis on each thread in the subset of threads based on each thread in the subset having a start address within the malicious memory heap block, to determine, for each of the threads in the subset, whether the thread is a malicious thread injected into the particular computer process by malware, the analysis comprising, for each of the threads in the subset, identifying a signature for the thread and comparing the signature for the thread to signatures of known malicious threads, where the particular computer process is a non-malicious process, and at least one of the subset of threads is a non-malicious thread of the particular computer process; and terminate threads in the subset of threads determined through the analysis to be malicious, where the at least one non-malicious thread is to be preserved.
-
Specification