Methods, systems, articles of manufacture and apparatus to detect process hijacking

Assignee

• Intel Corporation · US

Inventors

• Zheng Zhang · San Jose, US
• Jason Martin · Beaverton, US
• Justin E. Gottschlich · Santa Clara, US
• Abhilasha Bhargav-Spantzel · Santa Clara, US
• Salmin Sultana · Hillsboro, US
• Li-Yuan Chen · Cupertino, US
• Wei Li · Shanghai, CN
• Priyam Biswas · West Lafayette, US
• Paul Carlson · Portland, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/033
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Methods, systems, articles of manufacture and apparatus to detect process hijacking are disclosed herein. An example apparatus to detect control flow anomalies includes a parsing engine to compare a target instruction pointer (TIP) address to a dynamic link library (DLL) module list, and in response to detecting a match of the TIP address to a DLL in the DLL module list, set a first portion of a normalized TIP address to a value equal to an identifier of the DLL. The example apparatus disclosed herein also includes a DLL entry point analyzer to set a second portion of the normalized TIP address based on a comparison between the TIP address and an entry point of the DLL, and a model compliance engine to generate a flow validity decision based on a comparison between (a) the first and second portion of the normalized TIP address and (b) a control flow integrity model.