Information security – Monitoring or scanning of software or data including attack... – Intrusion detection
Reexamination Certificate
2005-03-22
2009-06-23
Smithers, Matthew B (Department: 2437)
Information security
Monitoring or scanning of software or data including attack...
Intrusion detection
C713S164000
Reexamination Certificate
active
07552479
ABSTRACT:
On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions table rather than an entry in a current process IAT, which may have been modified by malicious code. The current process IAT is evaluated to determine whether it has changed from an initial start up state, in a way that is indicative of an evasion attempt by malicious code. If an evasion attempt is detected, a notification is provided to a user and/or system administrator. Optionally, protective action is taken, such as saving a copy of the current process IAT to permit later analysis of the change.
REFERENCES:
patent: 7111279 (2006-09-01), Gazdik et al.
patent: 7165076 (2007-01-01), Bentley
patent: 2005/0108562 (2005-05-01), Khazan et al.
patent: 2005/0198507 (2005-09-01), Brender et al.
Rabek et al., “Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code”, Oct. 27, 2003, ACM,pp. 76-82.
Butler, J., and anonymous author, “Bypassing 3rd Party Windows Buffer Overflow Protection”, Phrack Inc., vol. 0x0b, Issue 0x3e, Phile #0x05 of 0x10, Jul. 13, 2004, pp. 1-17 [online]. Retrieved from the Internet:<URL:http://www.phrack.org/phrack/62/p62-0x05—Bypassing—Win—BufferOverflow—Protection.txt>.
Pietrek, Matt, “An In-Depth Look into the Win32 Portable Executable File Format”, MSDN Magazine, Feb. 2002, pp. 1-13 [online]. Retrieved from the Internet:<URL:http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx>.
Pietrek, Matt, “An In-Depth Look into the Win32 Portable Executable File Format, Part 2”, MSDN Magazine, Mar. 2002, pp. 1-12 [online]. Retrieved from the Internet:<URL:http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx>.
Conover Matthew
Satish Sourabh
Gunnison McKay & Hodgson, L.L.P.
Hodgson Serge J.
Smithers Matthew B
Symantec Corporation
LandOfFree
Detecting shellcode that modifies IAT entries does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Detecting shellcode that modifies IAT entries, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detecting shellcode that modifies IAT entries will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4147161