公开(公告)号：US20190205533A1

公开(公告)日：2019-07-04

申请号：US15857007

申请日：2017-12-28

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Milos Petrbok ,  Colin Christopher McCambridge ,  Aaron Putnam

IPC: G06F21/55 ,  G06F21/53 ,  G06F21/56 ,  H04L9/32

Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

公开(公告)号：US10740459B2

公开(公告)日：2020-08-11

申请号：US15857007

申请日：2017-12-28

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Milos Petrbok ,  Colin Christopher McCambridge ,  Aaron Putnam

IPC: G06F21/56 ,  G06F21/55 ,  G06F21/53 ,  H04L9/32 ,  G06F21/60 ,  H04L29/06

Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

公开(公告)号：US20180239657A1

公开(公告)日：2018-08-23

申请号：US15438553

申请日：2017-02-21

Applicant: CrowdStrike, Inc.

Inventor： Milos Petrbok ,  Colin Christopher McCambridge

IPC: G06F9/54

CPC classification number: G06F9/546 ,  G06F9/44 ,  G06F9/541 ,  G06F9/545 ,  G06F13/14 ,  G06F21/52

Abstract: A symmetric, cross-platform, bridge component is described herein. The bridge component creates an interface (through a set of application programming interfaces (APIs)) to enable the sending of data between a pair of components, called “endpoints,” a first endpoint component of the pair being executed in a kernel mode of a computing device, and a second endpoint component of the pair being executed in a user mode of the computing device. A process for sending data between a kernel-level endpoint component and a user-level endpoint component executing on a computing device involves opening a communications port, setting the communications port to a connected state, and sending a message containing the data via the communications port. Data may be transmitted in this manner between the user mode and the kernel mode of the computing device in either direction.

公开(公告)号：US10387228B2

公开(公告)日：2019-08-20

申请号：US15438553

申请日：2017-02-21

Applicant: CrowdStrike, Inc.

Inventor： Milos Petrbok ,  Colin Christopher McCambridge

IPC: G06F9/54 ,  G06F9/44 ,  G06F13/14 ,  G06F21/52

Abstract: A symmetric, cross-platform, bridge component is described herein. The bridge component creates an interface (through a set of application programming interfaces (APIs)) to enable the sending of data between a pair of components, called “endpoints,” a first endpoint component of the pair being executed in a kernel mode of a computing device, and a second endpoint component of the pair being executed in a user mode of the computing device. A process for sending data between a kernel-level endpoint component and a user-level endpoint component executing on a computing device involves opening a communications port, setting the communications port to a connected state, and sending a message containing the data via the communications port. Data may be transmitted in this manner between the user mode and the kernel mode of the computing device in either direction.