System and method to mitigate malicious calls
First Claim
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by a processor, perform a method comprising:
- receiving a function call from a security program, wherein the function call is an asynchronous procedure call;
determining a return address for the function call on an operating system stack above an address of the function call; and
pushing parameters on the operating system stack for a call for a dynamic link library to lead an operating system kernel back to restore a routine, if the return address does not belong to a trusted module.
10 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.
-
Citations
25 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by a processor, perform a method comprising:
-
receiving a function call from a security program, wherein the function call is an asynchronous procedure call; determining a return address for the function call on an operating system stack above an address of the function call; and pushing parameters on the operating system stack for a call for a dynamic link library to lead an operating system kernel back to restore a routine, if the return address does not belong to a trusted module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
a processor configured to receive a function call from a security program, wherein the function call is an asynchronous procedure call; determine if a memory page is associated with a trusted module by determining a return address for the function call on an operating system stack above an address of the function call; and push parameters on the operating system stack for a call for a dynamic link library to lead an operating system kernel back to restore a routine, if the memory page is not associated with the trusted module. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
17. A method, comprising:
-
receiving an exit process function call from a process, wherein the exit process function call is an asynchronous procedure call; determining a parameter for the exit process function call; determining if the parameter is an exit code for the exit process function call used by the process, wherein the process identifies the exit code; and blocking the exit process function call if the parameter is not the exit code. - View Dependent Claims (18, 19)
-
-
20. A system for mitigating malicious calls, the system comprising:
a processor configured for receiving a function call from a security program, wherein the function call is an asynchronous procedure call; determining a return address for the function call on an operating system stack above an address of the function call; and pushing parameters on the operating system stack for a call for a dynamic link library to lead an operating system kernel back to restore a routine, if the return address does not belong to a trusted module. - View Dependent Claims (21, 22, 23, 24, 25)
Specification