Suspicious program detection
US-2016055337-A1 · Feb 25, 2016 · US
Selective import/export address table filtering
US11928206B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11928206-B2 |
| Application number | US-202318304231-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 20, 2023 |
| Priority date | Nov 15, 2018 |
| Publication date | Mar 12, 2024 |
| Grant date | Mar 12, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: a processor; and a memory coupled to the processor, the memory storing computer executable instructions executable to: generate a list of exportable functions accessible to an executable program; identify a first function name relative virtual address (RVA) corresponding to a first function in the list of exportable functions; identify a last function name RVA corresponding to a last function in the list of exportable functions; modify the first function name RVA to point to a restricted memory location, thereby creating a modified function name RVA; detect an exception that indicates an attempt to access the restricted memory location of the modified function name RVA; compare an instruction pointer address associated with the exception to an allowed range of memory addresses for system functions, the allowed range comprising a lower boundary corresponding to the first function name RVA and an upper boundary corresponding to the last function name RVA; determine that the instruction pointer address is outside the allowed range of memory addresses for system functions; and when the memory address of the exception is outside the allowed range, provide an indication of an anomaly for the executable program. 2. The system of claim 1 , wherein generating the list of the exportable functions comprises scanning at least one of a library file or an address table associated with the executable program. 3. The system of claim 2 , wherein the list of exportable functions comprises a function name and a function address corresponding to a function in the list of exportable functions. 4. The system of claim 1 , wherein the first function name RVA points to a memory address of an object in an image file. 5. The system of claim 1 , wherein modifying the first function name RVA comprises: storing the first function name RVA in a data structure; assigning an alternate memory address to the first function; and forming an association between the first function name RVA and the alternate memory address in the data structure. 6. The system of claim 1 , wherein determining that the instruction pointer address is outside the allowed range comprises comparing the instruction pointer address to a list of authorized system binaries. 7. The system of claim 1 , further comprising remediating the anomaly by terminating the executable program. 8. A non-transitory machine-readable storage medium comprising instructions executable to: generate a list of exportable functions accessible to an executable program; identify a first function name relative virtual address (RVA) corresponding to a first function in the list of exportable functions; identify a last function name RVA corresponding to a last function in the list of exportable functions; modify the first function name RVA to point to a restricted memory location, thereby creating a modified function name RVA; detect an exception that indicates an attempt to access the restricted memory location of the modified function name RVA; compare an instruction pointer address associated with the exception to an allowed range of memory addresses for system functions, the allowed range comprising a lower boundary corresponding to the first function name RVA and an upper boundary corresponding to the last function name RVA; determine that the instruction pointer address is outside the allowed range of memory addresses for system functions; and when the memory address of the exception is outside the allowed range, provide an indication of an anomaly for the executable program. 9. The non-transitory machine-readable storage medium of claim 8 , wherein the instructions are further executable to scan at least one of a library file or an address table associated with the executable program. 10. The non-transitory machine-readable storage medium of claim 9 , wherein the list of exportable functions comprises a function name and a function address corresponding to a function in the list of exportable functions. 11. The non-transitory machine-readable storage medium of claim 8 , wherein the first function name RVA points to a memory address of an object in an image file. 12. The non-transitory machine-readable storage medium of claim 8 , wherein the instructions are further executable to: store the first function name RVA in a data structure; assign an alternate memory address to the first function; and form an association between the first function name RVA and the alternate memory address in the data structure. 13. The non-transitory machine-readable storage medium of claim 8 , wherein the instructions are further executable to compare the instruction pointer address to a list of authorized system binaries. 14. The non-transitory machine-readable storage medium of claim 8 , wherein the instructions are further executable to remediate the anomaly by terminating the executable program. 15. A method comprising: generating a list of exportable functions accessible to an executable program; identifying a first function name relative virtual address (RVA) corresponding to a first function in the list of exportable functions; identifying a last function name RVA corresponding to a last function in the list of exportable functions; modifying the first function name RVA to point to a restricted memory location, thereby creating a modified function name RVA; detecting an exception that indicates an attempt to access the restricted memory location of the modified function name RVA; comparing an instruction pointer address associated with the exception to an allowed range of memory addresses for system functions, the allowed range comprising a lower boundary corresponding to the first function name RVA and an upper boundary corresponding to the last function name RVA; determining that the instruction pointer address is outside the allowed range of memory addresses for system functions; and when the memory address of the exception is outside the allowed range, providing an indication of an anomaly for the executable program. 16. The method of claim 15 , wherein generating the list of the exportable functions comprises scanning at least one of a library file or an address table associated with the executable program. 17. The method of claim 16 , wherein the list of exportable functions comprises a function name and a function address corresponding to a function in the list of exportable functions. 18. The method of claim 15 , wherein the first function name RVA points to a memory address of an object in an image file. 19. The method of claim 15 , wherein modifying the first function name RVA comprises: storing the first function name RVA in a data structure; assigning an alternate memory address to the first function; and forming an association between the first function name RVA and the alternate memory address in the data structure. 20. The method of claim 15 , further comprising remediating the anomaly by terminating the executable program.
Assignees
Inventors
Classifications
- G06F21/54Primary
by adding security routines or objects to programs · CPC title
involving event detection and direct action · CPC title
Test or assess software · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11928206B2 cover?
- Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected tha…
- Who is the assignee on this patent?
- Open Text Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/54. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 12 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).