Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2007-06-05
2007-06-05
Moazzami, Nasser (Department: 2136)
Information security
Monitoring or scanning of software or data including attack...
C726S023000, C726S024000, C726S025000, C713S164000, C713S188000, C713S190000, C709S216000, C709S217000
Reexamination Certificate
active
10360341
ABSTRACT:
A method includes hooking a critical operating system function, originating a call to the critical operating system function with a call module of a parent application, stalling the call, determining a location of the call module in memory, and determining whether the location is in an executable area of the memory. Upon a determination that the call module is not in the executable area, the method further includes terminating the call. By terminating the call, execution of a child application that would otherwise allow unauthorized remote access is prevented.
REFERENCES:
patent: 5598531 (1997-01-01), Hill
patent: 5696822 (1997-12-01), Nachenberg
patent: 5802178 (1998-09-01), Holden et al.
patent: 5822517 (1998-10-01), Dotan
patent: 6301699 (2001-10-01), Hollander et al.
patent: 6357008 (2002-03-01), Nachenberg
patent: 6910142 (2005-06-01), Cross et al.
Vasudevan, A., et al, ‘SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation’, Austrailian Computer Society, 2006, Dept of CS & Engineering, Univ of Texas at Arlington, entire document, http://crpit.com/confpapers/CRPITV48Vasudevan.pdf.
Szor, P., “Attacks on WIN32”, Virus Bulletin Conference, Oct. 1998, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 57-84.
Szor, P., “Memory Scanning Under Windows NT”, Virus Bulletin Conference, Sep. 1999, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 1-22.
Szor, P., “Attacks on WIN32-Part II”, Virus Bulletin Conference, Sep. 2000, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 47-68.
Chien, E. and Szor, P., “Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques In Computer Viruses”, Virus Bulletin Conference, Sep. 2002, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 1-36.
Buysse, J., “Virtual Memory: Window NT® Implementation”, pp. 1-15 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://people.msoe.edu/˜barnicks/courses/cs384/papers19992000/buyssej-Term.pdf>.
Dabak, P., Borate, M. and Phadke, S., “Hooking Windows NT System Services”, pp. 1-8 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.windowsitlibrary.com/Content/356/06/2.html>.
“How Entercept Protects: System Call Interception”, pp. 1-2 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.entercept.com/products/technology/kernelmode.asp>. No author provided.
“How Entercept Protects: System Call Interception”, p. 1 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.entercept.com/products/technology/interception.asp>. No author provided.
Kath, R., “The Virtual-Memory Manager in Windows NT”, pp. 1-11 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://msdn.microsoft.com/library/en-us/dngenlib/html/msdn—ntvmm.asp?frame=true>.
Szor, P. and Kaspersky, E., “The Evolution of 32-Bit Windows Viruses”, Windows & .Net Magazine, pp. 1-4 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.winnetmag.com/Articles/Print.cfm?ArticleID=8773>.
Szor, P.,“The New 32-bit Medusa”, Virus Bulletin, Dec. 2000, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 8-10.
Szor, P., “Shelling Out”, Virus Bulletin, Feb. 1997, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 6-7.
McCorkendale, B. and Szor, P., “Code Red Buffer Overflow”, Virus Bulletin, Sep. 2001, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 4-5.
Nachenberg, C., “A New Technique for Detecting Polymorphic Computer Viruses”, University of California, Los Angeles, 1995.
Szor, P., U.S. Appl. No. 10/681,623, filed Oct. 7, 2003, entitled “Unmapped Code Blocking System and Method”.
Szor, P., U.S. Appl. No. 10/781,207, filed Feb. 17, 2004, entitled “Kernal Mode Overflow Attack Prevention System and Method”.
“INFO: CreateFileMapping()SEC—* Flags”, pp. 1-2 [online]. Retrieved on Sep. 24, 2003. Retrieved from the internet: URL:http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q108/2/31.asp&NoWebContent=1. No author provided.
“CreateFileMapping”, pp. 1-5 [online]. Retrieved on Sep. 10, 2003. Retrieved from the internet: URL:http://msdn.microsoft.com/library/en-us/fileio//base/createfilemapping.asp?frame=true. No author provided.
Szor, P., U.S. Appl. No. 10/371,945, filed Feb. 21, 2003, entitled “Safe Memory Scanning”.
Szor, P., U.S. Appl. No. 10/464,091, filed Jun. 17, 2003, entitled “Send Blocking System and Method”.
Szor, P., U.S. Appl. No. 10/611,472, filed Jun. 30, 2003, entitled “Signature Extraction System and Method”.
Baum Ronald
Gunnison McKay & Hodgson, L.L.P.
Hodgson Serge J.
Moazzami Nasser
Symantec Corporation
LandOfFree
Shell code blocking system and method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Shell code blocking system and method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Shell code blocking system and method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3839823