Certains contenus de cette application ne sont pas disponibles pour le moment.
Si cette situation persiste, veuillez nous contacter àObservations et contact
1. (WO2019067689) PROCÉDÉS DE PROTECTION DE HOOKS LOGICIELS, ET SYSTÈMES ET APPAREIL DE SÉCURITÉ INFORMATIQUE ASSOCIÉS
Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

CLAIMS

What is claimed is:

1. An apparatus comprising:

a memory device configured to store processor-executable instructions;

a memory access monitoring device; and

a processing device configured to execute the processor-executable instructions, wherein executing the processor-executable instructions causes the apparatus to perform operations including:

identifying one or more software hooks to be protected;

configuring the memory access monitoring device to (1) monitor access to memory addresses of the identified hooks and (2) generate a notification indicating detection of an attempt to modify a monitored hook in response to detecting an attempt by a first task to write to at least one of the memory addresses of at least one of the monitored hooks;

configuring the processing device to execute a second task in response to the memory access monitoring device generating the notification indicating detection of the attempt to modify the monitored hook; and

in response to the memory access monitoring device generating the notification, pausing execution of the first task and initiating execution of the second task, wherein the second task determines whether to allow the first task to modify the monitored hook.

2. The apparatus of claim 1, wherein at least one of the identified hooks is inserted into an operating system (OS) application programming interface (API) function call.

3. The apparatus of claim 1, wherein the memory access monitoring device is integrated with the processing device.

4. The apparatus of claim 3, wherein the memory access monitoring device comprises one or more debug registers of the processing device.

5. The apparatus of claim 4, wherein configuring the memory access monitoring device to monitor access to the identified hooks comprises writing the memory addresses of the identified hooks to a subset of the debug registers.

6. The apparatus of claim 4, wherein configuring the processing device to execute the second task in response to the memory access monitoring device generating the notification comprises identifying a memory address of a function corresponding to the second task as an interrupt handler for the notification.

7. The apparatus of claim 6, wherein the interrupt handler for the notification is identified with respect to an OS context corresponding to the first task.

8. The apparatus of claim 1, wherein determining whether to allow the first task to modify the monitored hook comprises:

classifying the attempt to modify the monitored hook as benign or not benign;

if the attempt to modify the monitored hook is classified as not benign, blocking the first task from modifying the monitored hook; and

if the attempt to modify the monitored hook is classified as benign, permitting the first task to modify the monitored hook.

9. The apparatus of claim 8, wherein the hook is classified as benign, and wherein the operations further comprise classifying the attempt to modify the monitored hook as authorized or unauthorized.

10. The apparatus of claim 9, wherein the operations further comprise:

if the attempt to modify the monitored hook is classified as unauthorized, scheduling maintenance on the monitored hook to be performed after the first task performs the attempt to modify the monitored hook.

11. The apparatus of claim 10, wherein the operations further comprise performing the scheduled maintenance on the monitored hook after the first task performs the attempt to modify the monitored hook, and wherein performing the scheduled maintenance comprises:

identifying a software construct in which the monitored hook was injected prior to the first task's attempt to modify the monitored hook;

determining whether the monitored hook is injected in the software construct; and if the monitored hook is not injected in the software construct, reinjecting the monitored hook into the software construct.

12. The apparatus of claim 11 , wherein performing the scheduled maintenance further comprises:

determining whether a placement of the monitored hook in a chain of hooks satisfies one or more hook placement criteria; and

if the placement of the monitored hook in the chain of hooks does not satisfy the hook placement criteria, removing the monitored hook from the chain of hooks and reinjecting the monitored hook into the chain of hooks at a new placement that satisfies the hook placement criteria.

13. A method comprising:

identifying one or more software hooks to be protected;

configuring a memory access monitoring device to (1) monitor access to memory addresses of the identified hooks and (2) generate a notification indicating detection of an attempt to modify a monitored hook in response to detecting an attempt by a first task to write to at least one of the memory addresses of at least one of the monitored hooks;

configuring a processing device to execute a second task in response to the memory access monitoring device generating the notification indicating detection of the attempt to modify the monitored hook; and

in response to the memory access monitoring device generating the notification, pausing execution of the first task and initiating execution of the second task, wherein the second task determines whether to allow the first task to modify the monitored hook.

14. The method of claim 13, wherein at least one of the identified hooks is inserted into an operating system (OS) application programming interface (API) function call.

15. The method of claim 13, wherein the memory access monitoring device is integrated with the processing device.

16. The method of claim 15, wherein the memory access monitoring device comprises one or more debug registers of the processing device.

17. The method of claim 16, wherein configuring the memory access monitoring device to monitor access to the identified hooks comprises writing the memory addresses of the identified hooks to a subset of the debug registers.

18. The method of claim 16, wherein configuring the processing device to execute the second task in response to the memory access monitoring device generating the notification comprises identifying a memory address of a function corresponding to the second task as an interrupt handler for the notification.

19. The method of claim 18, wherein the interrupt handler for the notification is identified with respect to an OS context corresponding to the first task.

20. The method of claim 13, wherein determining whether to allow the first task to modify the monitored hook comprises:

classifying the attempt to modify the monitored hook as benign or not benign;

if the attempt to modify the monitored hook is classified as not benign, blocking the first task from modifying the monitored hook; and

if the attempt to modify the monitored hook is classified as benign, permitting the first task to modify the monitored hook.