Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2005-08-26
2009-11-10
Orgad, Edan (Department: 2439)
Information security
Monitoring or scanning of software or data including attack...
C726S023000, C726S024000, C726S025000, C726S030000, C713S002000, C713S188000
Reexamination Certificate
active
07617534
ABSTRACT:
Techniques are disclosed for detecting manipulations of user-kernel transition registers (such as the SYSENTER/SYSCALL critical registers of Intel/AMD processors, respectively), and other such registers. In one embodiment, a register monitor agent is deployed at system boot-up, and continues monitoring target registers for manipulation during system use. If a manipulation is detected, then exclusions are checked to see if that manipulation is legitimate (e.g., caused by a trusted source). If not a legitimate manipulation, then reporting and/or corrective action can be taken. The techniques can be used in real-time and in any number of behavior blocking, antivirus, and/or intrusion prevention applications.
REFERENCES:
patent: 6385727 (2002-05-01), Cassagnol et al.
patent: 6438666 (2002-08-01), Cassagnol et al.
patent: 6735703 (2004-05-01), Kilpatrick et al.
patent: 6772332 (2004-08-01), Boebert et al.
patent: 6823433 (2004-11-01), Barnes et al.
patent: 6854039 (2005-02-01), Strongin et al.
patent: 6988226 (2006-01-01), Koning et al.
patent: 7007301 (2006-02-01), Crosbie et al.
patent: 7152242 (2006-12-01), Douglas
patent: 7260845 (2007-08-01), Kedma et al.
patent: 2002/0129245 (2002-09-01), Cassagnol et al.
patent: 2003/0093686 (2003-05-01), Barnes et al.
patent: 2003/0188169 (2003-10-01), Strongin et al.
patent: 2003/0188178 (2003-10-01), Strongin et al.
patent: 2003/0226014 (2003-12-01), Schmidt et al.
patent: 2003/0226022 (2003-12-01), Schmidt et al.
patent: 2005/0076186 (2005-04-01), Traut
patent: 2005/0120236 (2005-06-01), Witmann
patent: 2005/0204205 (2005-09-01), Ring et al.
patent: 2005/0228990 (2005-10-01), Kato et al.
patent: 2005/0229250 (2005-10-01), Ring et al.
patent: 2008/0016314 (2008-01-01), Li et al.
Butler, J., et al, ‘VICE-catch the hookers!’, In Black Hat USA, Jul. 2004, entire document, http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf.
Butler, James, VICE—Catch the hookers! Black Hat, Las Vegas, Jul. 2004. www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf.
Keong, T.C., “SIG’G-TEC —Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept),” May 23, 2004, [online] [Retrieved on May 15, 2006] Retrieved from the Internet<URL:http://www.security.org.sg/code/kproccheck.html>, 6 pages.
“Notes from “Windows NT System —Call Hooking” (Dr. Dobb's Journal, '97),” [online] [Retrieved on May 15, 2006] Retrieved from the Internet <URL:http://www.stanford.edu/˜stinson/misc/curr—res/hooks
t—hooking.txt>, 9 pages.
Rutkowska, J., “System Virginity Verifier: Defining the Roadmap for Malware Detection on Windows System,” Hack In The Box Security Corporation, Sep. 28-29, 2005, Retrieved from the Internet<URL:http://www.invisiblethings.org/papers/hitb05—virginity—verifier.ppt>, 38 pages.
Conover Matthew
Ferrie Peter
Szor Peter
Baum Ronald
Fenwick & West LLP
Orgad Edan
Symantec Corporation
LandOfFree
Detection of SYSENTER/SYSCALL hijacking does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Detection of SYSENTER/SYSCALL hijacking, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detection of SYSENTER/SYSCALL hijacking will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4085568