System, method, and computer program product for monitoring and/or analyzing at least one aspect of an invocation of an interface

US 9,824,215 B2
Filed: 05/01/2015
Issued: 11/21/2017
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying execution of an interface, including identifying by utilizing a callback function that a code segment internal to the interface has been executed;

in response to the execution of the interface, determining whether the interface was executed as a result of executing a defined entry point of the interface, the entry point located logically before the code segment;

determining that the execution of the interface is malicious based upon the determination that the interface was executed as a result of executing the code segment prior to executing the defined entry point of the interface; and

in response to the determination that the execution is malicious, initiating an action including at least one of;

preventing further execution of the interface;

transmitting an alert;

orrecording information associated with the execution of the interface.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed.

38 Citations

View as Search Results

20 Claims

1. A method, comprising:
- identifying execution of an interface, including identifying by utilizing a callback function that a code segment internal to the interface has been executed;
  
  in response to the execution of the interface, determining whether the interface was executed as a result of executing a defined entry point of the interface, the entry point located logically before the code segment;
  
  determining that the execution of the interface is malicious based upon the determination that the interface was executed as a result of executing the code segment prior to executing the defined entry point of the interface; and
  
  in response to the determination that the execution is malicious, initiating an action including at least one of;
  
  preventing further execution of the interface;
  
  transmitting an alert;
  
  orrecording information associated with the execution of the interface.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, further comprising predetermining that the code segment is to be monitored for execution with respect to the entry point.
  - 3. The method as recited in claim 1, wherein the code segment is determined during runtime by:
    - determining a starting address of the interface; and
      
      determining a size of the interface.
  - 4. The method as recited in claim 1, and further comprising determining whether the execution is malicious further based upon whether the interface includes a single entry point.
  - 5. The method as recited in claim 1, further comprising determining whether the execution of the code segment is malicious based upon a determination that the entry point of the interface was not invoked.
  - 6. The method as recited in claim 1, further comprisingverifying the callback function by determining whether a memory address associated with the callback function is located within code of the interface.

7. A computer program product embodied on a non-transitory computer readable medium, comprising instructions that, when loaded and executed by a processor, cause the processor to:
- identify execution of an interface, including identifying by utilization of a callback function that a code segment internal to the interface has been executed;
  
  in response to the execution of the interface, determine whether the interface was executed as a result of execution of a defined entry point of the interface, the entry point located logically before the code segment;
  
  determine that the execution of the interface is malicious based upon the determination that the interface was executed as a result of execution of the code segment prior to the execution of the defined entry point of the interface; and
  
  in response to the determination that the execution is malicious, initiate an action, the action including at least one of;
  
  prevention of further execution of the interface;
  
  transmission of an alert;
  
  orrecordation of information associated with the execution of the interface.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 7, further comprising instructions for causing the processor to predetermine that the code segment is to be monitored for execution with respect to the entry point.
  - 10. The computer program product of claim 7, further comprising instructions for causing the processor to determine the code segment to be monitored during runtime by:
    - determining a starting address of the interface; and
      
      determining a size of the interface.
  - 11. The computer program product of claim 7, further comprising instructions for causing the processor to determine whether the execution is malicious further based upon whether the interface includes a single entry point.
  - 12. The computer program product of claim 7, further comprising instructions for causing the processor to determine whether the execution is malicious based upon a determination that the entry point of the interface was not invoked.
  - 13. The computer program product of claim 7, further comprising instructions for causing the processor to:
    - identify that another portion of internal code of the interface was invoked; and
      
      determine that the execution is malicious based at least upon an identification that the other portion of internal code was invoked prior to execution of the code segment;
      
      wherein the code segment is located logically before the other portion of internal code.
  - 14. The computer program product of claim 7, further comprising instructions for causing the processor toverify the callback function by determining whether a memory address associated with the callback function is located within code of the interface.

8. A system, comprising:
- a hardware processor;
  
  computer-readable instructions executable by the processor to identify execution of an interface by utilization of a callback function, including identifying that a code segment internal to the interface has been executed;
  
  in response to the execution of the interface, computer-readable instructions executable by the processor to determine whether the interface was executed as a result of execution of a defined entry point of the interface, the entry point located logically before the code segment;
  
  computer-readable instructions executable by the processor to determine that the execution of the interface is malicious based upon the determination that the interface was executed as a result of execution of the code segment prior to the execution of the defined entry point of the interface; and
  
  in response to the determination that the execution is malicious, computer-readable instructions executable by the processor to initiate an action, the action including at least one of;
  
  prevention of further execution of the interface;
  
  transmission of an alert;
  
  orrecordation of information associated with the execution of the interface.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 8, wherein the computer-readable instructions executable by the processor to identify execution of an interface is further executable by the processor to configure the system to predetermine that the code segment is to be monitored for execution with respect to the entry point.
  - 16. The system of claim 8, wherein the computer-readable instructions executable by the processor to identify execution of an interface is further executable by the processor to determine the code segment to be monitored during runtime by:
    - determining a starting address of the interface; and
      
      determining a size of the interface.
  - 17. The system of claim 8, wherein the computer-readable instructions executable by the processor to determine that the execution is malicious is further executable by the processor to determine whether the execution is malicious further based upon whether the interface includes a single entry point.
  - 18. The system of claim 8, wherein the computer-readable instructions executable by the processor to determine that the execution is malicious is further executable by the processor to determine whether the execution is malicious based upon a determination that the entry point of the interface was not invoked.
  - 19. The system of claim 8, wherein:
    - the computer-readable instructions executable by the processor to identify execution of an interface is further executable to identify that another portion of internal code of the interface was invoked; and
      
      the computer-readable instructions executable by the processor to determine that the execution is malicious is further executable to determine that the execution is malicious based at least upon an identification that the other portion of internal code was invoked prior to execution of the code segment;
      
      wherein the code segment is located logically before the other portion of internal code.
  - 20. The system of claim 8, wherein the computer-readable instructions executable by the processor to determine that the execution is malicious is further executable by the processor toverify the callback function by determining whether a memory address associated with the callback function is located within code of the interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Dalcher, Gregory William
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US14/701,728
Publication Number

US 20160026794A1
Time in Patent Office

935 Days
Field of Search

726 22- 25, 713187-188
US Class Current
CPC Class Codes

G06F 11/302   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/3089   Monitoring arrangements det...

G06F 11/3604   Software analysis for verif...

G06F 11/3668   Software testing software t...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 2221/033   Test or assess software

System, method, and computer program product for monitoring and/or analyzing at least one aspect of an invocation of an interface

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for monitoring and/or analyzing at least one aspect of an invocation of an interface

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links