System and method for intercepting process creation events
First Claim
1. A computer-implemented method of detecting creation of processes, the method comprising:
- injecting an interceptor module into a native operating system process;
replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine during a creation of a second process;
obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter corresponds to at least one characteristic of the second process;
analyzing the at least one parameter to determine whether the second process corresponds to a program of interest;
controlling the second process in response to determining that the second process corresponds to the program of interest;
saving the at least one parameter;
causing the second process to terminate;
creating a third process having the at least one parameter;
wherein the step of obtaining at least one parameter further comprises obtaining a name of the second process; and
wherein the second process is a browser process and wherein the controlling the second process comprises reducing functionality of the browser process.
23 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting creation of a program instance includes an interceptor routine that obtains a parameter corresponding to a characteristic of a program instance and an interceptor module that can be injected into a native operating system process. In certain examples, the interceptor module can replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process can call the interceptor routine in place of the selected routine. Additionally, the system can include a comparison module that compares the parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs. The system can also include a security module that can modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program.
-
Citations
24 Claims
-
1. A computer-implemented method of detecting creation of processes, the method comprising:
-
injecting an interceptor module into a native operating system process; replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine during a creation of a second process; obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter corresponds to at least one characteristic of the second process; analyzing the at least one parameter to determine whether the second process corresponds to a program of interest; controlling the second process in response to determining that the second process corresponds to the program of interest; saving the at least one parameter; causing the second process to terminate; creating a third process having the at least one parameter; wherein the step of obtaining at least one parameter further comprises obtaining a name of the second process; and wherein the second process is a browser process and wherein the controlling the second process comprises reducing functionality of the browser process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting creation of a program instance, the system comprising:
-
a processor; an interceptor routine configured to obtain at least one parameter corresponding to at least one characteristic of a program instance; an interceptor module configured to be injected into a native operating system process, the interceptor module further configured to replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process calls the interceptor routine in place of the selected routine during creation of the program instance; a comparison module configured to compare the at least one parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs; a security module configured to modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program; wherein the at least one parameter obtained by the interceptor routine comprises a name of the program instance; and wherein the interceptor module, the comparison module, and the security module are implemented by a computer system comprising computer hardware; and wherein the program instance is a browser process and wherein the security module controls the browser process by reducing functionality of the browser process. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system for detecting process creation events, the system comprising:
-
means for obtaining at least one parameter from a native operating system process, wherein the at least one parameter corresponds to at least one characteristic of a second process; means for replacing an address of a selected routine in an address table with an address to the means for obtaining such that the native operating system process calls the means for obtaining in place of the selected routine during a creation of the second process; means for injecting said means for replacing into the native operating system process; means for analyzing the at least one parameter to determine whether the second process corresponds to a predetermined program; and means for controlling the second process in response to determining that the second process corresponds to the predetermined program; means for saving the at least one parameter; means for causing the second process to terminate; means for creating a third process having the at least one parameter; wherein means for obtaining at least one parameter from a native operating system process further comprises obtaining a name of the second process; and wherein the second process is a browser process and wherein the means for controlling the second process comprises reducing functionality of the browser process. - View Dependent Claims (24)
-
Specification