Search

US-20260127266-A1 - Systems and Methods for Detecting Malicious Modifications of a Loaded Software Module

US20260127266A1US 20260127266 A1US20260127266 A1US 20260127266A1US-20260127266-A1

Abstract

Kernel-mode security software detects a trigger event indicative of a specific stage in the lifecycle of a target software entity executing in user mode. In response, the security software identifies a target object residing in memory (e.g., loaded library, chunk of code, etc.) according to a current content of the user-mode call stack, and determines whether the target object is malicious. Various methods described herein detect malicious modifications of a loaded module, such as overload, stomping, and unhooking, among others. Other methods described herein detect dynamically swapped libraries and malicious shellcode, among others.

Inventors

  • Andrei V. LUTAS
  • Ionel C. ANICHITEI
  • Nicolae BODEA

Assignees

  • Bitdefender IPR Management Ltd.

Dates

Publication Date
20260507
Application Date
20250107

Claims (19)

  1. 1 . A computer system comprising at least one hardware processor configured to: in response to an occurrence of a trigger event caused by an executing process, identify an executable module loaded into memory for use by the process, the executable module identified according to a current content of a call stack of the process, and wherein the executable module comprises executable code; identify a target memory location according to memory relocation data or according to exception handling data included in the executable module, wherein: the memory relocation data is indicative of addresses referenced by the executable code, addresses which were translated upon loading the executable code into memory, and the exception handling data instructs an operating system of the computer system on handling exceptions occurring during execution of the executable code; determine whether a content stored at the target memory location has been overwritten following a loading of the executable module into memory; and in response, if yes, determine that the executable module comprises malicious software.
  2. 2 . The computer system of claim 1 , wherein determining whether the content stored at the target memory location has been overwritten comprises: determining whether the content stored at the target memory location comprises an address within a section of memory allocated for the executable module; and in response, if yes, determine that the content stored at the memory location has not been overwritten.
  3. 3 . The computer system of claim 1 , wherein determining whether the content stored at the target memory location has been overwritten comprises: determining whether the content stored at the target memory location comprises an address within a section of memory allocated for another executable module; and in response, if yes, determine that the content stored at the selected location has not been overwritten.
  4. 4 . The computer system of claim 1 , wherein identifying the target memory location comprises: determining an expected location of a function prologue within a section of memory storing the executable code, the expected location determined according to the exception handling data; and identifying the target memory location according to the expected location.
  5. 5 . The computer system of claim 4 , wherein the exception handling data comprises instructions for unwinding the call stack in response to the exception, and wherein the at least one hardware processor is configured to determine the expected location of the function prologue according to the instructions for unwinding the call stack.
  6. 6 . The computer system of claim 1 , wherein determining whether the content stored at the target memory location has been overwritten comprises: determining an expected processor instruction according to the exception handling data; determining whether the content stored at the target memory location comprises an encoding of the expected processor instruction; and in response, if no, determining that the content stored at the target memory location has been overwritten.
  7. 7 . The computer system of claim 6 , wherein the exception handling data comprises instructions for unwinding the call stack in response to the exception, and wherein the at least one hardware processor is configured to determine the expected processor instruction according to the instructions for unwinding the call stack.
  8. 8 . The computer system of claim 1 , wherein the executable module is structured according to a portable executable (PE) format, and wherein the at least one hardware processor is configured to determine whether the executable module comprises malicious software according to a content of a .RELOC section of the executable module or according to a content of a .PDATA section of the executable module.
  9. 9 . The computer system of claim 1 , wherein the trigger event is indicative of an action performed by the process, the action selected from a group consisting of loading another executable module into memory, spawning a child process, creating a thread, connecting to a network socket, and accessing a storage device of the computer system.
  10. 10 . A computer security method comprising employing at least one hardware processor of a computer system to: in response to an occurrence of a trigger event caused by an executing process, identify an executable module loaded into memory for use by the process, the executable module identified according to a current content of a call stack of the process, and wherein the executable module comprises executable code; identify a target memory location according to memory relocation data or according to exception handling data included in the executable module, wherein: the memory relocation data is indicative of addresses referenced by the executable code, addresses which were translated upon loading the executable code into memory, and the exception handling data instructs an operating system of the computer system on handling exceptions occurring during execution of the executable code; determine whether a content stored at the target memory location has been overwritten following a loading of the executable module into memory; and in response, if yes, determine that the executable module comprises malicious software.
  11. 11 . The method of claim 10 , wherein determining whether the content stored at the target memory location has been overwritten comprises: determining whether the content stored at the target memory location comprises an address within a section of memory allocated for the executable module; and in response, if yes, determine that the content stored at the memory location has not been overwritten.
  12. 12 . The method of claim 10 , wherein determining whether the content stored at the target memory location has been overwritten comprises: determining whether the content stored at the target memory location comprises an address within a section of memory allocated for another executable module; and in response, if yes, determine that the content stored at the selected location has not been overwritten.
  13. 13 . The method of claim 10 , wherein identifying the target memory location comprises: determining an expected location of a function prologue within a section of memory storing the executable code, the expected location determined according to the exception handling data; and identifying the target memory location according to the expected location.
  14. 14 . The method of claim 13 , wherein the exception handling data comprises instructions for unwinding the call stack in response to the exception, and wherein the method comprises determining the expected location of the function prologue according to the instructions for unwinding the call stack.
  15. 15 . The method of claim 10 , wherein determining whether the content stored at the target memory location has been overwritten comprises: determining an expected processor instruction according to the exception handling data; determining whether the content stored at the target memory location comprises an encoding of the expected processor instruction; and in response, if no, determining that the content stored at the target memory location has been overwritten.
  16. 16 . The method of claim 15 , wherein the exception handling data comprises instructions for unwinding the call stack in response to the exception, and wherein the method comprises determining the expected processor instruction according to the instructions for unwinding the call stack.
  17. 17 . The method of claim 10 , wherein the executable module is structured according to a portable executable (PE) format, and wherein the method comprises determining whether the executable module comprises malicious software according to a content of a .RELOC section of the executable module or according to a content of a .PDATA section of the executable module.
  18. 18 . The method of claim 10 , wherein the trigger event is indicative of an action performed by the process, the action selected from a group consisting of loading another executable module into memory, spawning a child process, creating a thread, connecting to a network socket, and accessing a storage device of the computer system.
  19. 19 . A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a computer system, causes the computer system to: in response to an occurrence of a trigger event caused by an executing process, identify an executable module loaded into memory for use by the process, the executable module identified according to a current content of a call stack of the process, and wherein the executable module comprises executable code; identify a target memory location according to memory relocation data or according to exception handling data included in the executable module, wherein: the memory relocation data is indicative of addresses referenced by the executable code, addresses which were translated upon loading the executable code into memory, and the exception handling data instructs an operating system of the computer system on handling exceptions occurring during execution of the executable code; determine whether a content stored at the target memory location has been overwritten following a loading of the executable module into memory; and in response, if yes, determine that the executable module comprises malicious software.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of the filing date of U.S. provisional patent application No. 63/715,705, filed on Nov. 4, 2024, titled “Anti-Malware Systems and Methods,” the content of which is incorporated by reference herein. BACKGROUND OF THE INVENTION The invention relates to computer security, and in particular to protecting computers against malicious software (malware). Malicious software affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, and spyware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others. Security software employs a variety of methods and strategies to combat malicious software. Some such methods try to match the contents of memory against a predetermined library of malicious code snippets and patterns, commonly known as signatures. Other exemplary methods monitor the execution of selected software entities, looking for patterns of behavior that are indicative of malice. Malware detection and mitigation face substantial technical challenges. Activities related to behavior monitoring and signature matching are computationally costly and may adversely affect productivity and user experience. Some components of the security software are themselves vulnerable to attack. Last but not least, malware constantly evolves to evade detection. Therefore, there is a persistent interest in developing novel, efficient, and robust anti-malware systems and methods. SUMMARY OF THE INVENTION According to one aspect, a computer system comprises at least one hardware processor configured to, in response to an occurrence of a trigger event caused by an executing process, identify an executable module loaded into memory for use by the process, the executable module identified according to a current content of a call stack of the process. The executable module comprises executable code. The at least one hardware processor is further configured to identify a target memory location according to memory relocation data or according to exception handling data included in the executable module. The memory relocation data is indicative of addresses referenced by the executable code, addresses which were translated upon loading the executable code. The exception handling data instructs an operating system of the computer system on handling exceptions occurring during execution of the executable code. The at least one hardware processor is further configured to determine whether a content stored at the target memory location has been overwritten following a loading of the executable module into memory, and in response, if yes, to determine that the executable module comprises malicious software. According to another aspect, a computer security method comprises employing at least one hardware processor of a computer system to, in response to an occurrence of a trigger event caused by an executing process, identify an executable module loaded into memory for use by the process, the executable module identified according to a current content of a call stack of the process. The executable module comprises executable code. The method further comprises identifying a target memory location according to memory relocation data or according to exception handling data included in the executable module. The memory relocation data is indicative of addresses referenced by the executable code, addresses which were translated upon loading the executable code. The exception handling data instructs an operating system of the computer system on handling exceptions occurring during execution of the executable code. The method further comprises determining whether a content stored at the target memory location has been overwritten following a loading of the executable module into memory, and in response, if yes, determining that the executable module comprises malicious software. According to another aspect, a non-transitory computer-readable medium stores instructions which, when executed by at least one hardware processor of a computer system, causes the computer system to, in response to an occurrence of a trigger event caused by an executing process, identify an executable module loaded into memory for use by the process, the executable module identified according to a current content of a call stack of the process. The executable module comprises executable code. The instructions further cause the computer system to identify a target memory location according to memory relocation data or according to exception handling data included in the executable module. The memory relocation data is indicative of addresses referenced by the executable code, addresses which were translated upon loading the executable code. The exception handling data instructs an operating system of the computer system on han