System and method for intercepting process creation events

US 9,195,823 B1
Filed: 01/13/2014
Issued: 11/24/2015
Est. Priority Date: 11/30/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting creation of processes, the method comprising:

injecting an interceptor module into a native operating system process;

replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine during a creation of a second process;

obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter corresponds to at least one characteristic of the second process;

analyzing the at least one parameter to determine whether the second process corresponds to a program of interest;

controlling the second process in response to determining that the second process corresponds to the program of interest;

saving the at least one parameter;

causing the second process to terminate;

creating a third process having the at least one parameter;

wherein the step of obtaining at least one parameter further comprises obtaining a name of the second process; and

wherein the second process is a browser process and wherein the controlling the second process comprises reducing functionality of the browser process.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting creation of a program instance includes an interceptor routine that obtains a parameter corresponding to a characteristic of a program instance and an interceptor module that can be injected into a native operating system process. In certain examples, the interceptor module can replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process can call the interceptor routine in place of the selected routine. Additionally, the system can include a comparison module that compares the parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs. The system can also include a security module that can modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program.

21 Citations

View as Search Results

24 Claims

1. A computer-implemented method of detecting creation of processes, the method comprising:
- injecting an interceptor module into a native operating system process;
  
  replacing, with the interceptor module, an address of a selected routine in an address table with an address to an interceptor routine of the interceptor module such that the native operating system process is configured to call the interceptor routine in place of the selected routine during a creation of a second process;
  
  obtaining at least one parameter from the native operating system process using the interceptor routine, wherein the at least one parameter corresponds to at least one characteristic of the second process;
  
  analyzing the at least one parameter to determine whether the second process corresponds to a program of interest;
  
  controlling the second process in response to determining that the second process corresponds to the program of interest;
  
  saving the at least one parameter;
  
  causing the second process to terminate;
  
  creating a third process having the at least one parameter;
  
  wherein the step of obtaining at least one parameter further comprises obtaining a name of the second process; and
  
  wherein the second process is a browser process and wherein the controlling the second process comprises reducing functionality of the browser process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the native operating system process is a Client/Server Runtime Subsystem Service (csrss.exe) process in a Microsoft Windows®
    - operating system.
  - 3. The method of claim 1, wherein the native operating system process is a Local Security Authority Subsystem Service (lsass.exe) process in a Microsoft Windows®
    - operating system.
  - 4. The method of claim 1, wherein controlling the second process comprises creating a security token for the second process.
  - 5. The method of claim 4, wherein creating the security token for the second process comprises providing administrator access rights to the security token.
  - 6. The method of claim 1, wherein the address table is an import table of a software library configured to be linked into the native operating system process.
  - 7. The method of claim 1, wherein obtaining the at least one parameter comprises reading at least one routine parameter passed into the interceptor routine.
  - 8. The method of claim 1, wherein analyzing at least one parameter comprises comparing the name of the second process to a whitelist of program names of a plurality of programs of interest.
  - 9. The method of claim 1, wherein the interceptor module analyzes the at least one parameter.
  - 10. The method of claim 1, wherein the interceptor module controls the second process.
  - 11. The method of claim 1, further comprising receiving policies from a management server remote to a computing device comprising the native operating system process and the interceptor module, the policies providing rules for controlling the second process.

12. A system for detecting creation of a program instance, the system comprising:
- a processor;
  
  an interceptor routine configured to obtain at least one parameter corresponding to at least one characteristic of a program instance;
  
  an interceptor module configured to be injected into a native operating system process, the interceptor module further configured to replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process calls the interceptor routine in place of the selected routine during creation of the program instance;
  
  a comparison module configured to compare the at least one parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs;
  
  a security module configured to modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program;
  
  wherein the at least one parameter obtained by the interceptor routine comprises a name of the program instance; and
  
  wherein the interceptor module, the comparison module, and the security module are implemented by a computer system comprising computer hardware; and
  
  wherein the program instance is a browser process and wherein the security module controls the browser process by reducing functionality of the browser process.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the native operating system process is a Client/Server Runtime Subsystem Service (csrss.exe) process in a Microsoft Windows®
    - operating system.
  - 14. The system of claim 12, wherein the native operating system process is a Local Security Authority Subsystem Service (lsass.exe) process in a Microsoft Windows®
    - operating system.
  - 15. The system of claim 12, wherein the security module comprises the comparison module.
  - 16. The system of claim 12, wherein the interceptor module comprises the comparison module.
  - 17. The system of claim 12, wherein the security module is further configured to inject the interceptor module into the native operating system process.
  - 18. The system of claim 12, wherein the security module is further configured to create a security token for the program instance in response to determining that the program instance corresponds to at least one identified program.
  - 19. The system of claim 12, wherein the security module is further configured to analyze the information about the program instance by comparing at least a portion of the at least one parameter to a list of program names.
  - 20. The system of claim 12, wherein the interceptor module is further configured to:
    - store the address of the selected routine; and
      
      restore the address of the selected routine to the address table upon completion of the interceptor routine.
  - 21. The system of claim 12, further comprising a management server in network communication with a computing device executing the native operating system process, the management server further comprising policies providing rules for modify execution of the program instance.
  - 22. The system of claim 21, wherein the security module is further configured to receive the policies from the management server.

23. A system for detecting process creation events, the system comprising:
- means for obtaining at least one parameter from a native operating system process, wherein the at least one parameter corresponds to at least one characteristic of a second process;
  
  means for replacing an address of a selected routine in an address table with an address to the means for obtaining such that the native operating system process calls themeans for obtaining in place of the selected routine during a creation of the second process;
  
  means for injecting said means for replacing into the native operating system process;
  
  means for analyzing the at least one parameter to determine whether the second process corresponds to a predetermined program; and
  
  means for controlling the second process in response to determining that the second process corresponds to the predetermined program;
  
  means for saving the at least one parameter;
  
  means for causing the second process to terminate;
  
  means for creating a third process having the at least one parameter;
  
  wherein means for obtaining at least one parameter from a native operating system process further comprises obtaining a name of the second process; and
  
  wherein the second process is a browser process and wherein the means for controlling the second process comprises reducing functionality of the browser process.
- View Dependent Claims (24)
- - 24. The system of claim 23, wherein the means for controlling the second process creates a security token for the second process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Andreyev, Ivan Sergeevich, Artyom, Agafonov, Binotto, Alessandro, Gostev, Anton
Primary Examiner(s)
Truong, Lechi

Application Number

US14/153,607
Time in Patent Office

680 Days
Field of Search

719/328
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 2209/542   Intercept

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/54   Interprogram communication

G06F 9/545   where tasks reside in diffe...

System and method for intercepting process creation events

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for intercepting process creation events

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links