Patent · US Active

Direct call into system DLL detection system and method

US8209757B1 · kind B1 · utility

17Cited by

2References

18Claims

0Family size

Assignee

Symantec Corporation · US

Inventors

Mark Kennedy · Redondo Beach, US
Shane Pereira · Bellevue, US

Key dates

Filing date	Jun 27, 2008
Grant date	Jun 26, 2012
Priority date	—
Expiry date	May 16, 2030

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/53
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

A method includes creating an intercept function for a tracked DLL function of a DLL being loaded into a suspicious module. Upon a determination that the tracked DLL function is invoked, a determination is made as to whether a return address of a caller of the tracked DLL function is within a legitimate return address range. The legitimate return address range includes an address range of the intercept function and excludes an address range of the suspicious module. If the return address is within the suspicious module, the suspicious module called the tracked DLL function directly. This indicates that the suspicious module is malicious and so protective action is taken.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.