Invention Grant
- Patent Title: Direct call into system DLL detection system and method
- Patent Title (中): 直接调用系统DLL检测系统和方法
-
Application No.: US12163747Application Date: 2008-06-27
-
Publication No.: US08209757B1Publication Date: 2012-06-26
- Inventor: Mark Kennedy , Shane Pereira
- Applicant: Mark Kennedy , Shane Pereira
- Applicant Address: US CA Mountain View
- Assignee: Symantec Corporation
- Current Assignee: Symantec Corporation
- Current Assignee Address: US CA Mountain View
- Agency: McKay and Hodgson, LLP
- Agent Serge J. Hodgson; Sean P. Lewis
- Main IPC: G06F21/00
- IPC: G06F21/00
Abstract:
A method includes creating an intercept function for a tracked DLL function of a DLL being loaded into a suspicious module. Upon a determination that the tracked DLL function is invoked, a determination is made as to whether a return address of a caller of the tracked DLL function is within a legitimate return address range. The legitimate return address range includes an address range of the intercept function and excludes an address range of the suspicious module. If the return address is within the suspicious module, the suspicious module called the tracked DLL function directly. This indicates that the suspicious module is malicious and so protective action is taken.
Information query
