System, Method, and Computer Program Product for Monitoring and/or Analyzing At Least One Aspect of An Invocation of An Interface

US 20160026794A1
Filed: 05/01/2015
Published: 01/28/2016
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying execution of an interface, including identifying that a code segment internal to the interface has been executed;

in response to the execution of the interface, determining whether the interface was executed as a result of executing a defined entry point of the interface; and

determining whether the execution is malicious based upon whether the entry point was invoked prior to execution of the code segment;

wherein the entry point is located logically before the code segment.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed.

6 Citations

33 Claims

1. A method, comprising:
- identifying execution of an interface, including identifying that a code segment internal to the interface has been executed;
  
  in response to the execution of the interface, determining whether the interface was executed as a result of executing a defined entry point of the interface; and
  
  determining whether the execution is malicious based upon whether the entry point was invoked prior to execution of the code segment;
  
  wherein the entry point is located logically before the code segment.
- View Dependent Claims (4, 5, 6, 10, 18)
- - 4. The method as recited in claim 1, further comprising predetermining that the code segment is to be monitored for execution with respect to the entry point.
  - 5. The method as recited in claim 1, wherein the code segment is determined during runtime by:
    - determining a starting address of the interface; and
      
      determining a size of the interface.
  - 6. The method as recited in claim 1, and further comprising determining whether the execution is malicious further based upon whether the interface includes a single entry point.
  - 10. The method as recited in claim 1, further comprising determining whether the execution of the code segment is malicious based upon a determination that the entry point of the interface was not invoked.
  - 18. The method as recited in claim 1, further comprising:
    - identifying that a code segment internal to the interface has been executed by utilizing a callback function; and
      
      verifying the callback function by determining whether a memory address associated with the callback function is located within code of the interface.

2. (canceled)

3. (canceled)

7-10. -10. (canceled)

11-17. -17. (canceled)

19. A computer program product embodied on a non-transitory computer readable medium, comprising instructions that, when loaded and executed by a processor, cause the processor to:
- identify execution of an interface, including identifying that a code segment internal to the interface has been executed; and
  
  determine whether the execution is malicious based upon whether the entry point was invoked prior to execution of the code segment;
  
  wherein the entry point is located logically before the code segment.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The computer program product of claim 19, further comprising instructions for causing the processor to predetermine that the code segment is to be monitored for execution with respect to the entry point.
  - 23. The computer program product of claim 19, further comprising instructions for causing the processor to determine the code segment to be monitored during runtime by:
    - determining a starting address of the interface; and
      
      determining a size of the interface
  - 24. The computer program product of claim 19, further comprising instructions for causing the processor to determine whether the execution is malicious further based upon whether the interface includes a single entry point.
  - 25. The computer program product of claim 19, further comprising instructions for causing the processor to determine whether the execution is malicious based upon a determination that the entry point of the interface was not invoked.
  - 26. The computer program product of claim 19, further comprising instructions for causing the processor to:
    - identify that another portion of internal code of the interface was invoked; and
      
      determine that the execution is malicious based at least upon an identification that the other portion of internal code was invoked prior to execution of the code segment;
      
      wherein the code segment is located logically before the other portion of internal code.
  - 27. The computer program product of claim 19, further comprising instructions for causing the processor to:
    - identify that a code segment internal to the interface has been executed by utilizing a callback function; and
      
      verify the callback function by determining whether a memory address associated with the callback function is located within code of the interface.

20. A system, comprising:
- a processor;
  
  detection logic executable by the processor to identify execution of an interface, including identifying that a code segment internal to the interface has been executed; and
  
  analysis logic executable by the processor to determine whether the execution is malicious based upon whether the entry point was invoked prior to execution of the code segment;
  
  wherein the entry point is located logically before the code segment.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The system of claim 20, wherein the detection logic is further executable by the processor to configure the system to predetermine that the code segment is to be monitored for execution with respect to the entry point.
  - 29. The system of claim 20, wherein the detection logic is further executable by the processor to determine the code segment to be monitored during runtime by:
    - determining a starting address of the interface; and
      
      determining a size of the interface
  - 30. The system of claim 20, wherein the analysis logic is further executable by the processor to determine whether the execution is malicious further based upon whether the interface includes a single entry point.
  - 31. The system of claim 20, wherein the analysis logic is further executable by the processor to determine whether the execution is malicious based upon a determination that the entry point of the interface was not invoked.
  - 32. The system of claim 20, wherein:
    - the detection logic is further executable to identify that another portion of internal code of the interface was invoked; and
      
      the analysis logic is further executable to determine that the execution is malicious based at least upon an identification that the other portion of internal code was invoked prior to execution of the code segment;
      
      wherein the code segment is located logically before the other portion of internal code.
  - 33. The system of claim 20, wherein the analysis logic is further executable by the processor to:
    - identify that a code segment internal to the interface has been executed by utilizing a callback function; and
      
      verify the callback function by determining whether a memory address associated with the callback function is located within code of the interface.

21. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dalcher, Gregory William

Granted Patent

US 9,824,215 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/302   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/3089   Monitoring arrangements det...

G06F 11/3604   Software analysis for verif...

G06F 11/3668   Software testing software t...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 2221/033   Test or assess software

System, Method, and Computer Program Product for Monitoring and/or Analyzing At Least One Aspect of An Invocation of An Interface

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method, and Computer Program Product for Monitoring and/or Analyzing At Least One Aspect of An Invocation of An Interface

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links