Detecting shellcode that modifies IAT entries
US7552479B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Mar 22, 2005 |
| Grant date | Jun 23, 2009 |
| Priority date | — |
| Expiry date | Aug 3, 2027 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/565
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions table rather than an entry in a current process IAT, which may have been modified by malicious code. The current process IAT is evaluated to determine whether it has changed from an initial start up state, in a way that is indicative of an evasion attempt by malicious code. If an evasion attempt is detected, a notification is provided to a user and/or system administrator. Optionally, protective action is taken, such as saving a copy of the current process IAT to permit later analysis of the change.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.