Systems and methods for preventing hollowing attack

Assignee

• Acronis International GmbH · CH

Inventors

• Vladimir Strogov · Moscow, RU
• Aliaksei Dodz · Singapore, SG
• Serg Bell · Singapore, SG
• Stanislav Protasov · Moscow, RU

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/034
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

System and method for detecting and curing a hollowing attack is disclosed herein. The method comprises monitoring real-time process memory parameters of a target process; retrieving real-time process memory parameters of the target process; comparing the real-time process memory parameters of the target process with reference process parameters of the target process stored in a system storage of the computing system and parameters of the process creation call-back notification; detecting a hollowing attack based on the comparison in previous step; in response to detecting the hollowing attack, determining a threat source file of malicious code; determining address space of the hollowed process on the computing system based on system log data; and curing the computing system by blocking execution of the threat source file and deleting threat resources associated therewith from the computing system.