Computer exploit detection using heap spray pattern matching
First Claim
1. A computerized method, comprising:
- determining whether an amount of memory allocated for an application exceeds a predetermined threshold;
responsive to determining the amount of allocated memory exceeds the predetermined threshold, scanning a region of the allocated memory for a predefined number of a first pattern, wherein the predefined number appears in a contiguous manner, the region being less than an entirety of the allocated memory; and
responsive to detecting at least the predefined number of the first pattern in the contiguous manner, scanning a remainder of the allocated memory for a sequence of a first No Operation (NOP) sled and potential shellcode, wherein the remainder of the allocated memory excludes a subset of the allocated memory a Read permission from the scanning of the region of the allocated memory for the predefined number of the first pattern, and the subset being less than an entirety of the allocated memory.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically to detect potential shellcode at a first storage location within a region of memory allocated for an application, conduct a first search at one or more storage locations prior to the first storage location within the region of allocated memory for at least one or more patterns, conduct a second search at one or more storage locations subsequent to the first storage location within the region of allocated memory for at least one or more patterns, detect a first pattern at one or more storage locations prior to the first storage location within the region of allocated memory, and detect a second pattern at one or more storage locations subsequent to the first storage location with the region of allocated memory, wherein at least one of the first pattern or the second pattern is absent from a predefined list of patterns.
645 Citations
30 Claims
-
1. A computerized method, comprising:
-
determining whether an amount of memory allocated for an application exceeds a predetermined threshold; responsive to determining the amount of allocated memory exceeds the predetermined threshold, scanning a region of the allocated memory for a predefined number of a first pattern, wherein the predefined number appears in a contiguous manner, the region being less than an entirety of the allocated memory; and responsive to detecting at least the predefined number of the first pattern in the contiguous manner, scanning a remainder of the allocated memory for a sequence of a first No Operation (NOP) sled and potential shellcode, wherein the remainder of the allocated memory excludes a subset of the allocated memory a Read permission from the scanning of the region of the allocated memory for the predefined number of the first pattern, and the subset being less than an entirety of the allocated memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 22, 23, 24, 25)
-
-
8. A computerized method, comprising:
-
detecting potential shellcode at a first storage location within a region of memory allocated for an application; conducting a first search, in a first direction, at one or more storage locations prior to the first storage location within the region of allocated memory for at least one or more patterns; conducting a second search, in a second direction opposite the first direction, at one or more storage locations subsequent to the first storage location within the region of allocated memory for at least the one or more patterns, first portion of the allocated memory having a Read permission being excluded from the second search, the first portion being less than an entirety of the allocated memory; detecting a first pattern at one or more storage locations prior to the first storage location within the region of allocated memory; and detecting a second pattern at one or more storage locations subsequent to the first storage location with the region of allocated memory, wherein at least one of the first pattern or the second pattern is absent front a predefined list of patterns, the first location being a location at which the potential shellcode begins, and the first direction being toward the beginning of the allocated memory. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 26)
-
-
17. A system comprising:
-
one or more processors; a storage module communicatively coupled to the one or more processors, the storage module includes logic to detect potential shellcode at a first storage location within a region of memory allocated for an application; conduct a first search in a first direction at one or more storage locations prior to the first storage location within the region of allocated memory for at least one or more patterns; conduct a second search in a second direction opposite the first direction at one or more storage locations subsequent to the first storage location within the region of allocated memory for at least the one or more patterns, a first portion of the allocated memory having a Read permission being excluded from the second search, the first portion being less than an entirety of the allocated memory; detect a first pattern at one or more storage locations prior to the first storage location within the region of allocated memory; and detect a second pattern at one or more storage locations subsequent to the first storage location with the region of allocated memory, wherein at least one or the first pattern, or the second pattern is absent from a predefined list of patterns, the first location being a location at which the potential shellcode begins, and the first direction being toward the beginning of the allocated memory. - View Dependent Claims (27)
-
-
18. A computerized method, comprising:
-
determining an amount of memory allocated for an application exceeds a memory threshold for a prescribed time threshold; responsive to the amount of memory allocated exceeding the memory threshold for the prescribed time threshold, performing a first scan of the amount of memory allocated for one or more patterns appearing on a predetermined blacklist; responsive to detecting at least a predefined number of a first pattern of the one or more patterns appearing on the predetermined blacklist in the contiguous manner, performing a second scan of the amount of memory allocated for a sequence of a first No Operation (NOP) sled and potential shellcode, a first portion of the allocated memory having a Read permission being excluded from the second scan, the first portion being less than an entirety of the allocated memory; and determining whether characteristics of a heap spray attack are present based on the first scan and the second scan. - View Dependent Claims (28)
-
-
19. A non-transitory computer-readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
-
determining whether an amount of memory allocated for an application exceeds a predetermined threshold for at least a predefined time threshold; performing a first scan of the region of allocated memory for a predefined number of a first pattern appearing on a predetermined blacklist in response to determining the amount of allocated memory exceeds the predetermined threshold; responsive to detecting at least the predefined number of the first pattern appearing on the predetermined blacklist, scanning a remainder of the region of allocated memory for a sequence of;
(1) a first No Operation (NOP) sled and (ii) potential shellcode, wherein the remainder of the allocated memory excludes a first portion of the allocated memory having a Read permission, the first portion being less than an entirety of the allocated memory; anddetermining, based on the first scan and the scanning of the remainder of the region of allocated memory for a sequence of (i) the first No Operation (NOP) sled and (ii) the potential shellcode, whether characteristics of a heap spray attack have been detected. - View Dependent Claims (29)
-
-
20. A system comprising:
-
one or more processors; a storage module communicatively coupled to the one or more processors, the storage module includes logic to; determine an amount of allocated memory for an application exceeds a predetermined threshold for at least a prescribed time threshold; perform a first scan of a region of allocated memory for one or more patterns appearing on a predetermined blacklist in response to determining the amount of allocated memory exceeds the predetermined threshold for at least the prescribed time threshold, the region being less than an entirety of the allocated memory; responsive to detecting at least a predefined number of a first pattern of the one or more patterns appearing on the predetermined blacklist, scan a remainder of the allocated memory for a sequence of;
(i) a first No Operation (NOP) sled and (ii) potential shellcode, wherein the remainder of the allocated memo excludes a first portion of the allocated memory having a Read permission, the first portion being less than the entirety of the allocated memory; anddetermine, based on the first scan and the scanning the remainder of the region of allocated memory for a sequence of (i) the first No Operation (NOP) sled and (ii) the potential shellcode, whether characteristics of a heap spray attack have been detected. - View Dependent Claims (21, 30)
-
Specification