Detection and mitigation of malicious invocation of sensitive code
First Claim
Patent Images
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor:
- identify regions of code in an extended page table that includes API code pages to be monitored;
probe and lock code pages that include the identified regions of code;
remap the code pages as executable in an alternate extended page table view only;
detect a page load, wherein the page load is for a page that does not include the proper entry point of an API;
determine, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and
generate, based on the determination that the page is to be monitored, an execution fault.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only to assist with the mitigation of malicious invocation of sensitive code. The code pages can be remapped as execute only in an alternate extended page table view to allow for the detection and mitigation of malicious invocation of sensitive code.
-
Citations
20 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor:
-
identify regions of code in an extended page table that includes API code pages to be monitored; probe and lock code pages that include the identified regions of code; remap the code pages as executable in an alternate extended page table view only; detect a page load, wherein the page load is for a page that does not include the proper entry point of an API; determine, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and generate, based on the determination that the page is to be monitored, an execution fault. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
memory; and a monitoring module in the memory configured to; identify regions of code in an extended page table that includes sensitive API code pages to be monitored; probe and lock code pages that include the identified regions of code; remap the code pages as executable in an alternate extended page table view only; detect a page load, wherein the page load is for loading a page that does not include the proper entry point of an API; determine, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and generate, based on the determination that the page is to be monitored, an execution fault. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
identifying regions of code in an extended page table that includes API code pages to be monitored; probing and locking code pages that include the identified regions of code; remapping the code pages as executable in an alternate extended page table view only; detecting a page load, wherein the page load is for loading a page that does not include the proper entry point of an API; determining, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and generating, based on the determination that the page is to be monitored, an execution fault. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system for detecting and mitigating malicious invocation of sensitive code, the system comprising:
-
memory; and a monitoring module in the memory configured for; identifying regions of code in an extended page table that includes API code pages to be monitored; probing and locking code pages that include the identified regions of code; remapping the code pages as executable in an alternate extended page table view only; detecting a page load, wherein the page load is for a page that does not include the proper entry point of an API; determining, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and generating, based on the determination that the page is to be monitored, an execution fault. - View Dependent Claims (20)
-
Specification