公开(公告)号：US12175312B2

公开(公告)日：2024-12-24

申请号：US17953801

申请日：2022-09-27

Applicant: CrowdStrike, Inc.

Inventor： Marco Vedovati ,  Martin Kelly

IPC: G06F9/54

Abstract: A first message structure is selected from a first subset of a plurality of message structures based on a size of a message payload and a message type of the message payload. Each of the first subset of the plurality of message structures has a different size. A size of the first message structure is greater than or equal to the size of the message payload. A first request is transmitted to an application programming interface (API) utilizing the size of the first message structure. In response to transmitting the first request to the API, a reference is received to a buffer structure. The message payload is copied into the buffer structure using the reference to the buffer structure.

公开(公告)号：US20240202134A1

公开(公告)日：2024-06-20

申请号：US18081149

申请日：2022-12-14

Applicant: CrowdStrike, Inc.

Inventor： Martin Kelly ,  Marco Vedovati ,  Igor Polevoy ,  Milos Petrbok ,  Christopher White

IPC: G06F12/1009 ,  G06F1/14 ,  G06F9/54

CPC classification number: G06F12/1009 ,  G06F1/14 ,  G06F9/544

Abstract: A method includes retrieving, in a kernel space of an operating system executing on a computing device, a first value from a first clock source, retrieving, in a user space of the operating system executing on the computing device, a second value from a second clock source, generating a unique process identifier (UPID) associated with a process identifier (PID) of a process executing in the operating system, wherein the UPID is based on the first value of the first clock source and the second value of the second clock source, and tracking process activity of the process executing in the operating system by utilizing the UPID.

公开(公告)号：US20240202337A1

公开(公告)日：2024-06-20

申请号：US18085088

申请日：2022-12-20

Applicant: CrowdStrike, Inc.

Inventor： Martin Kelly ,  Jayasankar Divakarla

IPC: G06F21/56 ,  G06F21/52

CPC classification number: G06F21/566 ,  G06F21/52 ,  G06F2221/034

Abstract: A creation of a first process is detected in a kernel space of the operating system executing on a computing device. An exec parent of the first process is determined. The exec parent identifies a second process within an ancestry of the first process that last performed an exec operation prior to the creation of the first process. A unique process identifier (UPID) associated with a process identifier (PID) of the first process is generated. The UPID is associated with the exec parent in a first mapping store that maps the PID to the UPID. Process activity of the first process executing in the operating system is tracked to generate process activity data that comprises the exec parent.

公开(公告)号：US20240103944A1

公开(公告)日：2024-03-28

申请号：US17953801

申请日：2022-09-27

Applicant: CrowdStrike, Inc.

Inventor： Marco Vedovati ,  Martin Kelly

IPC: G06F9/54

CPC classification number: G06F9/546 ,  G06F9/541 ,  G06F9/544

Abstract: A first message structure is selected from a first subset of a plurality of message structures based on a size of a message payload and a message type of the message payload. Each of the first subset of the plurality of message structures has a different size. A size of the first message structure is greater than or equal to the size of the message payload. A first request is transmitted to an application programming interface (API) utilizing the size of the first message structure. In response to transmitting the first request to the API, a reference is received to a buffer structure. The message payload is copied into the buffer structure using the reference to the buffer structure.

公开(公告)号：US20240289475A1

公开(公告)日：2024-08-29

申请号：US18175766

申请日：2023-02-28

Applicant: CrowdStrike, Inc.

Inventor： Marco Vedovati ,  Martin Kelly

IPC: G06F21/62 ,  G06F21/54 ,  G06F21/55

CPC classification number: G06F21/6209 ,  G06F21/54 ,  G06F21/552

Abstract: A method of generating a file hash using fingerprinting data includes acquiring, using one or more programs executing in a kernel space of an operating system, fingerprinting data associated with a target application process in a user space of the operating system responsive to detecting an execution of the target application process, sharing, by a processing device using the one or more programs, the fingerprinting data with a user space monitoring application executing in the user space of the operating system, generating a hash value of a target application file associated with the target application process, and determining, using the user space monitoring application, a validity of the hash value based on the fingerprinting data.

公开(公告)号：US20240289303A1

公开(公告)日：2024-08-29

申请号：US18175770

申请日：2023-02-28

Applicant: CrowdStrike, Inc.

Inventor： Marco Vedovati ,  Martin Kelly

IPC: G06F16/16 ,  G06F16/13 ,  G06F16/17

CPC classification number: G06F16/164 ,  G06F16/137 ,  G06F16/1734

Abstract: A method of generating a file hash using mount namespace data includes identifying, by a user space monitoring application executing in a user space of an operating system, a target application file associated with a target application process executing in the user space of the operating system, wherein the target application process is associated with a first mount namespace, accessing, by the user space monitoring application, a mapping between the first mount namespace and one or more processes executing in the user space of the operating system, switching, by a processing device, the user space monitoring application to the first mount namespace based on the mapping, and accessing, by the user space monitoring application, the target application file in the first mount namespace.

公开(公告)号：US20240202097A1

公开(公告)日：2024-06-20

申请号：US18081144

申请日：2022-12-14

Applicant: CrowdStrike, Inc.

Inventor： Martin Kelly ,  Marco Vedovati ,  Igor Polevoy ,  Milos Petrbok

IPC: G06F11/34 ,  G06F9/445 ,  G06F9/54

CPC classification number: G06F11/3495 ,  G06F9/445 ,  G06F9/545

Abstract: A unique process identifier (UPID) associated with a process identifier (PID) of a process executing in an operating system is generated in a kernel space of the operating system executing on a computing device. The UPID is inserted into a first mapping store that maps the PID to the UPID. A message is transmitted including the PID to a message buffer structure. A second mapping store that maps the UPID to the PID is updated in a user space of the operating system based on the message.

公开(公告)号：US20240211305A1

公开(公告)日：2024-06-27

申请号：US18069557

申请日：2022-12-21

Applicant: CrowdStrike, Inc.

Inventor： Martin Kelly ,  Milos Petrbok

IPC: G06F9/48

CPC classification number: G06F9/4881

Abstract: Trackable activity performed by a process executing in an operating system of a computing device is detected, the process associated with an initial sequence number and an initial message queue of a plurality of message queues, and each of the plurality of message queues comprising a first counter. Based on a comparison of the first counter to the initial sequence number, an assigned message queue of the process is set to the initial message queue or a second message queue of the plurality of message queues. A message is transmitted on the assigned message queue, the message comprising a process identifier of the process.