WO2016094985A1 - Protection driver for defense against process or thread termination - Google Patents

Protection driver for defense against process or thread termination Download PDF

Info

Publication number
WO2016094985A1
WO2016094985A1 PCT/BR2015/000184 BR2015000184W WO2016094985A1 WO 2016094985 A1 WO2016094985 A1 WO 2016094985A1 BR 2015000184 W BR2015000184 W BR 2015000184W WO 2016094985 A1 WO2016094985 A1 WO 2016094985A1
Authority
WO
WIPO (PCT)
Prior art keywords
protected
group
thread
command
instructions
Prior art date
Application number
PCT/BR2015/000184
Other languages
French (fr)
Inventor
Fabio CAVALHEIRI MARENGHI
Paulo Márcio FIGUEIREDO ALVES
Felipe NAVA
Original Assignee
Gas Informatica Ltda
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gas Informatica Ltda filed Critical Gas Informatica Ltda
Publication of WO2016094985A1 publication Critical patent/WO2016094985A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the present disclosure relates generally to computer systems and more particularly to protection of a process or a thread.
  • Modern computers are controlled by operating systems that execute computer programs as processes.
  • Processes include a memory space as well as a set of instructions that can be executed by the processor of a computer.
  • a process may include multiple threads which may independently executed by the computer processor.
  • FIG. 1 is a block diagram illustrating an example of a self protection device driver employing an application programming interface for protecting a process or thread.
  • FIG. 2 is a block diagram illustrating an example of a self protection device driver that registers itself with an operating system for protecting a process or thread.
  • FIG. 3 illustrates an example of a computer system upon which an example embodiment can be implemented.
  • FIG. 4 is a block diagram illustrating an example of a methodology employing an application programming interface to protect a process or thread.
  • FIG. 5 is a block diagram illustrating an example of a methodology that registers a self protection device driver with an operating system to protect a process or thread.
  • processes can protect themselves against forced terminations.
  • an operating system's kernel application programming interface API
  • operating system kernel callbacks are employed.
  • processes can protect themselves against forced terminations.
  • an operating system's kernel application programming interface API
  • operating system kernel callbacks are employed.
  • the kernel's application programming interface (API) hooks may be employed.
  • a device driver performs hooks in the following kernel APIs: ZwCreateThread, ZwCreateThreadEx, ZwOpenProcess, Zw2OpenThread, ZwTerminateProcess, and ZwTerminateThread.
  • the device driver determines if the origin of the command is form a trusted process, for example by using an internal list of trusted processes. If the command is from a trusted process, then the command is allowed to execute. However, if the command is not from a trusted process, then the driver prevents the command from executing and optionally returns an "access denied" message to the operating system.
  • FIG. 1 is a block diagram illustrating an example of a system 100 with a self protection device driver 104 employing an application programming interface (API) 108 for protecting a process or thread 102.
  • API application programming interface
  • the self protection device driver 104 comprises a tangible, non-transitory computer readable medium of instructions that contain instructions for execution by a process that when executed perform the functionality described herein.
  • the self protection device driver 104 creates a hook into via the API 108 into the kernel 1 10 of the operating system to protect one of a protected process, a protected thread, or both a protected process and a protected thread.
  • the self protection device driver 104 is capable of protecting multiple processes and threads.
  • the self protection device driver 104 intercepts, via the hook, any commands to suspend or terminate any protected process, protected thread, or both; For example, commands to terminate or suspend one or more threads of a protected process, to terminate or suspend the protected process, or to suspend or terminate both one or more threads of a protected process and the protected process will be intercepted by the self protection device driver 104.
  • the self protection device driver 104 determines whether the command to suspend or terminate a protected process, protected thread or both a protected process and thread originated from a predefined (e.g., "trusted") process.
  • a predefined process e.g., "trusted”
  • the self protection device driver may employ a database 106 containing a list of trusted processes.
  • the self protection device driver 104 prevents the command from executing.
  • the self protection device driver 104 may also return an access denied response to the operating system kernel 110.
  • the operating system kernel 1 10 may return an access denied message to the process where the command originated.
  • self protection device driver 104 determines that the command originated from a trusted process, the command is allowed to execute. For example, if the command originated from the application that created the process or thread, the command may be considered originating from a trusted process.
  • a driver registers itself to receive notifications from the Operating System, using ObRegisterCallbacks,. Whenever operation system manages or treats processes or threads, the device driver's callbacks are notified. After registration, the operating system notifies the driver whenever a process calls any process or thread's APIs, such as TerminateProcess, OpenProcess etc. The driver can then determine whether the call contains data representative of a protected process or thread. For example, the driver can extract data from notifications received by callbacks looking for the Process Id of protected processes and, if found, the driver checks if the caller (name of process) is present on an internal white list (e.g., list of trusted processes), if not, then returns access denied to operation system. If so, the driver prevents the call from the API from executing; otherwise, the call is permitted to execute.
  • an internal white list e.g., list of trusted processes
  • FIG. 2 is a block diagram illustrating an example of system 200 that a self protection device driver 204 that registers itself with an operating system 206 for protecting (prevent suspending or terminating) a protected process or a protected thread (or plurality of threads associated with a protected process) 202.
  • the self protection device driver 204 registers to receive notifications from an operating system 206 when a predetermined application programming interface is called by a process. For example, in a WINDOWS VISTA SP1 or higher environment, the self protection device driver 204 may register to receive notifications whenever a process calls APIs used to manage processes or threads.
  • the self protection device driver 204 Upon registration, the self protection device driver 204 is operable to receive a notification from the operating system kernel 206 when a process calls the predetermined application programming interface. The self protection device driver 204 determines whether the call to the predefined API contains data representative of a protected process, a protected thread, or both a protected process and a protected thread.
  • the self protection device driver 204 determines that the call contains data representative of a protected process, a protected thread, or both a protected process and a protected thread, the self protection device driver 204 prevents the execution of the predetermined application programming interface by the process responsive.
  • the self protection device driver 204 is operable to return data to the operating system indicating that access is denied to the predetermined application interface. If the self protection device driver 204 determines that the call does not contain data representative of a protected process, a protected thread, or both a protected process and a protected thread, the self protection device driver 204 allows the second process to access the predetermined application programming interface.
  • the self protection device driver 204 prevents execution of the call by the API. If a second process calls the predefined API, where the second call does not contain data representative of a protected process, thread, or both, the self protection device driver 204 allows the call to be executed by the API.
  • FIG. 3 illustrates an example of a computer 300 system upon which an example embodiment can be implemented.
  • computer system 300 may be employed for implementing components of system 100 described in FIG. 1 or components of system 200 described in FIG. 2.
  • Computer system 300 includes a bus 302 or other communication mechanism for communicating information and a processor 304 coupled with bus 302 for processing information.
  • Computer system 300 also includes a main memory 306, such as random access memory (RAM) or other dynamic storage device coupled to bus 302 for storing information and instructions to be executed by processor 304.
  • Main memory 306 also may be used for storing a temporary variable or other intermediate information during execution of instructions to be executed by processor 304.
  • Computer system 300 further includes a read only memory (ROM) 308 or other static storage device coupled to bus 302 for storing static information and instructions for processor 304.
  • a storage device 310 such as a magnetic disk or optical disk, is provided and coupled to bus 302 for storing information and instructions.
  • An aspect of the example embodiment is related to the use of computer system 300 for a self protecting process.
  • a self protecting process is provided by computer system 300 in response to processor 304 executing one or more sequences of one or more instructions contained in main memory 306. Such instructions may be read into main memory 306 from another computer-readable medium, such as storage device 310. Execution of the sequence of instructions contained in main memory 306 causes processor 304 to perform the process steps described herein.
  • processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 306.
  • hard-wired circuitry may be used in place of or in combination with software instructions to implement an example embodiment. Thus, embodiments described herein are not limited to any specific combination of hardware circuitry and software.
  • Non-volatile media include for example optical or magnetic disks, such as storage device 310.
  • Common forms of computer-readable media include for example floppy disk, a flexible disk, hard disk, magnetic cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, an EPROM, a FLASHPROM, CD, DVD or any other memory chip or cartridge, or any other medium from which a computer can read.
  • Figs 4-5 In view of the foregoing structural and functional features described above, methodologies in accordance with example embodiments will be better appreciated with reference to Figs 4-5. . While, for purposes of simplicity of explanation, the methodologies of Figs 4-5 are shown and described as executing serially, it is to be understood and appreciated that the example embodiments are not limited by the illustrated orders, as some aspects could occur in different orders and/or concurrently with other aspects from that shown and described herein. Moreover, not all illustrated features may be required. The methodologies described herein are suitably adapted to be implemented in logic. "Logic”, as used herein, includes but is not limited to hardware, firmware, software and/or combinations of each to perform a function(s) or an action(s), and/or to cause a function or action from another component.
  • Logic includes but is not limited to hardware, firmware, software and/or combinations of each to perform a function(s) or an action(s), and/or to cause a function or action from another component.
  • logic may include a software controlled microprocessor, discrete logic such as an application specific integrated circuit (ASIC), a programmable/programmed logic device, memory device containing instructions, or the like, or combinational logic embodied in hardware.
  • ASIC application specific integrated circuit
  • Logic may also be fully embodied as software that performs the desired functionality when executed by a processor
  • FIG. 4 is a block diagram illustrating an example of a methodology 400 smploying an application programming interface to protect a process or thread.
  • Methodology 400 may be implemented by self protecting driver 104 described in FIG. 1 or processor 304 described in FIG. 3.
  • a device driver e.g., self protecting or self protection device driver hooks into a kernel API.
  • a device driver e.g., self protecting or self protection device driver
  • ZwCreateThread ZwCreateThreadEx
  • ZwOpenProcess Zw20penThread
  • ZwTerminate Process ZwTerminateThread APIs
  • the driver intercepts a command from a process attempting to suspend or terminate a protected process or a protected thread.
  • the driver determines whether the command originated from a trusted process. For example, the driver may employ a list or database of predefined, approved process that are allowed to terminate or suspend the protected process or a protected thread.
  • the command is prevented from executing.
  • an access denied message may be provided to the operating system, which may forward the access denied message to the process where the command originated. If at 406, the process where the command originated is considered to be a trusted process (YES), the command is allowed to execute as indicated by 410.
  • FIG. 5 is a block diagram illustrating an example of a methodology 500 that registers a self protection device driver with an operating system to protect a process or thread.
  • methodology 500 can be implemented by self protection device driver 204 described in FIG. 2 or processor 304 described in FIG. 3.
  • a driver registers with an operating system to receive notifications if certain (predefined) APIs are called. Upon registration, the driver receives a notification whenever any process calls the predefined APIs.
  • the driver receives notification from the operating system that a process has called a predefined API, such as the same mentioned on Kernel API hook protection.
  • the driver determines whether the call contains a reference to any protected processes or threads, such as, for example, any processes or threads that are associated with a particular application.
  • the call to the API does not contain a reference to any predefined (e.g., protected) processes or threads (NO), the call to the API is allowed to continue as indicated at 508. However, if at 506, the call to the predefined API contains a reference to a predefined (protected) process or thread (YES), the call is not allowed to execute the predefined API as indicated by 510. In particular embodiments, the driver may return an access denied response to the operating system if the call is not allowed to execute the predefined API.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Computer systems Methods (implemented through instructions carried by a medium) and apparatus for protecting a process or thread (102, 202) against forced terminations are disclosed. The protection is accomplished by monitoring of commands targeting the processes or threads (102, 202) under protection. In one example embodiment (100), Operating Systems' API (108) usage is monitored by a Operating System Device Driver (104) using kernel hooks. In another example embodiment (200), that monitoring occurs using kernel callbacks.

Description

PROTECTION DRIVER FOR DEFENSE AGAINST PROCESS OR THREAD TERMINATION
Self Protecting Process
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority to U.S. Provisional Application No. 62/091 ,923, filed on December 15, 2014.
TECHNICAL FIELD
[0002] The present disclosure relates generally to computer systems and more particularly to protection of a process or a thread.
BACKGROUND
[0003] Modern computers are controlled by operating systems that execute computer programs as processes. Processes include a memory space as well as a set of instructions that can be executed by the processor of a computer. In addition, a process may include multiple threads which may independently executed by the computer processor.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] The accompanying drawings incorporated herein and forming a part of the specification illustrate the example embodiments.
[0005] FIG. 1 is a block diagram illustrating an example of a self protection device driver employing an application programming interface for protecting a process or thread.
[0006] FIG. 2 is a block diagram illustrating an example of a self protection device driver that registers itself with an operating system for protecting a process or thread.
[0007] FIG. 3 illustrates an example of a computer system upon which an example embodiment can be implemented. [0008] FIG. 4 is a block diagram illustrating an example of a methodology employing an application programming interface to protect a process or thread.
[0009] FIG. 5 is a block diagram illustrating an example of a methodology that registers a self protection device driver with an operating system to protect a process or thread.
OVERVIEW OF EXAMPLE EMBODIMENTS
[0010] The following presents a simplified overview of the example embodiments in order to provide a basic understanding of some aspects of the example embodiments. This overview is not an extensive overview of the example embodiments. It is intended to neither identify key or critical elements of the example embodiments nor delineate the scope of the appended claims. Its sole purpose is to present some concepts of the example embodiments in a simplified form as a prelude to the more detailed description that is presented later.
[0011] In example embodiments described herein, processes can protect themselves against forced terminations. In one example embodiment, an operating system's kernel application programming interface (API) is employed. In another example embodiment, operating system kernel callbacks are employed.
DESCRIPTION OF EXAMPLE EMBODIMENTS
[0012] This description provides examples not intended to limit the scope of the appended claims. The figures generally indicate the features of the examples, where it is understood and appreciated that like reference numerals are used to refer to like elements. Reference in the specification to "one embodiment" or "an embodiment" or "an example embodiment" means that a particular feature, structure, or characteristic described is included in at least one embodiment described herein and does not imply that the feature, structure, or characteristic is present in all embodiments described herein.
[0013] In example embodiments described herein, processes can protect themselves against forced terminations. In one example embodiment, an operating system's kernel application programming interface (API) is employed. In another example embodiment, operating system kernel callbacks are employed.
[0014] For example, for many version of WINDOWS, the kernel's application programming interface (API) hooks may be employed. A device driver performs hooks in the following kernel APIs: ZwCreateThread, ZwCreateThreadEx, ZwOpenProcess, Zw2OpenThread, ZwTerminateProcess, and ZwTerminateThread. Once the hooks are in place, if any process in the system attempts to kill, terminate, or suspend any of the protected threads or processes, for example, calling the function OpenProcess with the flag PROCESS__TERMINATE, calling function TerminateProcess or others, the device driver intercepts the command. The device driver determines if the origin of the command is form a trusted process, for example by using an internal list of trusted processes. If the command is from a trusted process, then the command is allowed to execute. However, if the command is not from a trusted process, then the driver prevents the command from executing and optionally returns an "access denied" message to the operating system.
[0015] FIG. 1 is a block diagram illustrating an example of a system 100 with a self protection device driver 104 employing an application programming interface (API) 108 for protecting a process or thread 102. For example, a process 102 with one or more threads may be created by an application (not shown). The self protection device driver 104 comprises a tangible, non-transitory computer readable medium of instructions that contain instructions for execution by a process that when executed perform the functionality described herein. In an example embodiment, the self protection device driver 104, creates a hook into via the API 108 into the kernel 1 10 of the operating system to protect one of a protected process, a protected thread, or both a protected process and a protected thread. As those skilled in the art can readily appreciate, the self protection device driver 104 is capable of protecting multiple processes and threads.
[0016] After the hook is established, the self protection device driver 104 intercepts, via the hook, any commands to suspend or terminate any protected process, protected thread, or both; For example, commands to terminate or suspend one or more threads of a protected process, to terminate or suspend the protected process, or to suspend or terminate both one or more threads of a protected process and the protected process will be intercepted by the self protection device driver 104.
[0017] The self protection device driver 104 determines whether the command to suspend or terminate a protected process, protected thread or both a protected process and thread originated from a predefined (e.g., "trusted") process. For example, the self protection device driver may employ a database 106 containing a list of trusted processes.
[0018] If the command originated from ^process that is not on the predefined (trusted) list, the self protection device driver 104 prevents the command from executing. The self protection device driver 104 may also return an access denied response to the operating system kernel 110. In particular embodiments, the operating system kernel 1 10 may return an access denied message to the process where the command originated.
[0019] If self protection device driver 104 determines that the command originated from a trusted process, the command is allowed to execute. For example, if the command originated from the application that created the process or thread, the command may be considered originating from a trusted process.
[0020] In an example embodiment, a driver registers itself to receive notifications from the Operating System, using ObRegisterCallbacks,. Whenever operation system manages or treats processes or threads, the device driver's callbacks are notified. After registration, the operating system notifies the driver whenever a process calls any process or thread's APIs, such as TerminateProcess, OpenProcess etc. The driver can then determine whether the call contains data representative of a protected process or thread. For example, the driver can extract data from notifications received by callbacks looking for the Process Id of protected processes and, if found, the driver checks if the caller (name of process) is present on an internal white list (e.g., list of trusted processes), if not, then returns access denied to operation system. If so, the driver prevents the call from the API from executing; otherwise, the call is permitted to execute.
[0021] FIG. 2 is a block diagram illustrating an example of system 200 that a self protection device driver 204 that registers itself with an operating system 206 for protecting (prevent suspending or terminating) a protected process or a protected thread (or plurality of threads associated with a protected process) 202. The self protection device driver 204 registers to receive notifications from an operating system 206 when a predetermined application programming interface is called by a process. For example, in a WINDOWS VISTA SP1 or higher environment, the self protection device driver 204 may register to receive notifications whenever a process calls APIs used to manage processes or threads.
[0022] Upon registration, the self protection device driver 204 is operable to receive a notification from the operating system kernel 206 when a process calls the predetermined application programming interface. The self protection device driver 204 determines whether the call to the predefined API contains data representative of a protected process, a protected thread, or both a protected process and a protected thread.
[0023] If the self protection device driver 204 determines that the call contains data representative of a protected process, a protected thread, or both a protected process and a protected thread, the self protection device driver 204 prevents the execution of the predetermined application programming interface by the process responsive. In particular embodiments, the self protection device driver 204 is operable to return data to the operating system indicating that access is denied to the predetermined application interface. If the self protection device driver 204 determines that the call does not contain data representative of a protected process, a protected thread, or both a protected process and a protected thread, the self protection device driver 204 allows the second process to access the predetermined application programming interface.
[0024] For example, if a first call is made to the predefined API by a first process that contains data representative of a protected process, thread or both, the self protection device driver 204 prevents execution of the call by the API. If a second process calls the predefined API, where the second call does not contain data representative of a protected process, thread, or both, the self protection device driver 204 allows the call to be executed by the API.
[0025] FIG. 3 illustrates an example of a computer 300 system upon which an example embodiment can be implemented. For example, computer system 300 may be employed for implementing components of system 100 described in FIG. 1 or components of system 200 described in FIG. 2.
[0026] Computer system 300 includes a bus 302 or other communication mechanism for communicating information and a processor 304 coupled with bus 302 for processing information. Computer system 300 also includes a main memory 306, such as random access memory (RAM) or other dynamic storage device coupled to bus 302 for storing information and instructions to be executed by processor 304. Main memory 306 also may be used for storing a temporary variable or other intermediate information during execution of instructions to be executed by processor 304. Computer system 300 further includes a read only memory (ROM) 308 or other static storage device coupled to bus 302 for storing static information and instructions for processor 304. A storage device 310, such as a magnetic disk or optical disk, is provided and coupled to bus 302 for storing information and instructions.
[0027] An aspect of the example embodiment is related to the use of computer system 300 for a self protecting process. According to an example embodiment, a self protecting process is provided by computer system 300 in response to processor 304 executing one or more sequences of one or more instructions contained in main memory 306. Such instructions may be read into main memory 306 from another computer-readable medium, such as storage device 310. Execution of the sequence of instructions contained in main memory 306 causes processor 304 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 306. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement an example embodiment. Thus, embodiments described herein are not limited to any specific combination of hardware circuitry and software.
[0028] The term "computer-readable medium" as used herein refers to any medium that participates in providing instructions to processor 304 for execution. Such a medium may take many forms, including but not limited to non-volatile media. Non-volatile media include for example optical or magnetic disks, such as storage device 310. Common forms of computer-readable media include for example floppy disk, a flexible disk, hard disk, magnetic cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, an EPROM, a FLASHPROM, CD, DVD or any other memory chip or cartridge, or any other medium from which a computer can read.
[0029] In view of the foregoing structural and functional features described above, methodologies in accordance with example embodiments will be better appreciated with reference to Figs 4-5. . While, for purposes of simplicity of explanation, the methodologies of Figs 4-5 are shown and described as executing serially, it is to be understood and appreciated that the example embodiments are not limited by the illustrated orders, as some aspects could occur in different orders and/or concurrently with other aspects from that shown and described herein. Moreover, not all illustrated features may be required. The methodologies described herein are suitably adapted to be implemented in logic. "Logic", as used herein, includes but is not limited to hardware, firmware, software and/or combinations of each to perform a function(s) or an action(s), and/or to cause a function or action from another component. For example, based on a desired application or need, logic may include a software controlled microprocessor, discrete logic such as an application specific integrated circuit (ASIC), a programmable/programmed logic device, memory device containing instructions, or the like, or combinational logic embodied in hardware. Logic may also be fully embodied as software that performs the desired functionality when executed by a processor
[0030] FIG. 4 is a block diagram illustrating an example of a methodology 400 smploying an application programming interface to protect a process or thread. Methodology 400 may be implemented by self protecting driver 104 described in FIG. 1 or processor 304 described in FIG. 3.
[0031] At 402, a device driver (e.g., self protecting or self protection device driver) hooks into a kernel API. For example, for WINDOWS XP and VISTA without service packs, any one or combination of ZwCreateThread, ZwCreateThreadEx, ZwOpenProcess, Zw20penThread, ZwTerminate Process, and ZwTerminateThread APIs may be employed.
[0032] At 404, the driver intercepts a command from a process attempting to suspend or terminate a protected process or a protected thread. At 406, the driver determines whether the command originated from a trusted process. For example, the driver may employ a list or database of predefined, approved process that are allowed to terminate or suspend the protected process or a protected thread.
[0033] (f at 406, the process where the command originated is not considered to be a trusted process (NO), at 408, the command is prevented from executing. In particular embodiments, an access denied message may be provided to the operating system, which may forward the access denied message to the process where the command originated. If at 406, the process where the command originated is considered to be a trusted process (YES), the command is allowed to execute as indicated by 410.
[0034] FIG. 5 is a block diagram illustrating an example of a methodology 500 that registers a self protection device driver with an operating system to protect a process or thread. For example, methodology 500 can be implemented by self protection device driver 204 described in FIG. 2 or processor 304 described in FIG. 3.
[0035] At 502, a driver registers with an operating system to receive notifications if certain (predefined) APIs are called. Upon registration, the driver receives a notification whenever any process calls the predefined APIs.
[0036] At 504, the driver receives notification from the operating system that a process has called a predefined API, such as the same mentioned on Kernel API hook protection.
[0037] At 506, the driver determines whether the call contains a reference to any protected processes or threads, such as, for example, any processes or threads that are associated with a particular application.
[0038] If at 506, the call to the API does not contain a reference to any predefined (e.g., protected) processes or threads (NO), the call to the API is allowed to continue as indicated at 508. However, if at 506, the call to the predefined API contains a reference to a predefined (protected) process or thread (YES), the call is not allowed to execute the predefined API as indicated by 510. In particular embodiments, the driver may return an access denied response to the operating system if the call is not allowed to execute the predefined API.
[0039] Described above are example embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the example embodiments, but one of ordinary skill in the art will recognize that many further combinations and permutations of the example embodiments are possible. Accordingly, it is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of any claims filed in applications claiming priority hereto interpreted in accordance with the breadth to which they are fairly, legally and equitably entitled.

Claims

1. A tangible, non-transitory computer readable medium of instructions with instructions encoded thereon for execution by a processor and when executed operable to:
create a hook into a predefined kernel application programming interface of an operating system to protect one of group consisting of a protected process and a protected thread;
intercept, via the hook, a command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread;
determine whether the command originated from a predefined process; and prevent the command to one of the group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread from executing responsive to determining the command did not originate from the predefined process.
2. The tangible, non-transitory computer readable medium of instructions of claim 1 , further operable to:
intercept a second command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread;
determine whether the second command originated from a predefined process; and allow the process from one of the group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread responsive to determining the second command originated from the predefined process.
3. The tangible, non-transitory computer readable medium of instructions of claim 1 , wherein the one of a group consisting of the protected process and the protected thread is a process.
4. The tangible, non-transitory computer readable medium of instructions of claim 1 , wherein the one of a group consisting of the protected process and the protected thread is a thread.
5. The tangible, non-transitory computer readable medium of instructions of claim 1 , wherein the command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread is a command to suspend a protected process.
6. The tangible, non-transitory computer readable medium of instructions of claim 1 , wherein the command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread is a command to terminate a protected process.
7. The tangible, non-transitory computer readable medium of instructions of claim 1 , wherein the hook into a predefined kernel application programming interface is one of a group consisting of ZwCreateThread, ZwCreateThreadEx, ZwOpenProcess, ZwOpenThread, ZwTerminateProcess, and ZwTerminate thread.
8. The tangible, non-transitory computer readable medium of instructions of claim 1 , wherein the instructions are operable to use an internal list of predefined processes to determine whether the command originated from a predefined process.
9. The tangible, non-transitory computer readable medium of instructions of claim 1 , the instructions are operable to return an access denied indication to the operating system responsive to determining the command did not originate from the predefined process.
10. A tangible, non-transitory computer readable medium of instructions with instructions encoded thereon for execution by a processor and when executed operable to:
register to receive notifications from an operating system when a predetermined application programming interface is called by a process;
receive a notification from the operating system that a process has called the predetermined application programming interface;
determine whether the call contains data representative of one of a group consisting of a protected process, a protected thread, and both a protected process and a protected thread; and
prevent the execution of the predetermined application programming interface by the process responsive to determining the call to the predetermined application programming interface contains data representative of one of a group consisting of a protected process, a protected thread, and both a protected process and a protected thread.
11. The tangible, non-transitory computer readable medium of claim 10, the instructions are operable to return data to the operating system indicating access is denied to the predetermined application interface.
12. The tangible, non-transitory computer readable medium of claim 10, the instructions are further operable to:
receive a notification from the operating system that a second process has called the predetermined application programming interface;
allow the second process to access the predetermined application programming interface responsive to determining the call to the predetermined application programming interface from the second process does not contain data representative of one of a group consisting of a protected process, a protected thread, and both a protected process and a protected thread.
13. The tangible non-transitory computer readable medium of claim 10, wherein the instructions are operable to use ObRegisteCallbacks to register to receive notifications from the operating system.
14. . The tangible non-transitory computer readable medium of claim 10, the instructions to determine whether the call contains data representative of one of a group consisting of a protected process, a protected thread, and both a protected process and a protected thread are operable to:
extract data representative of a process identifier from a notification received from the operating system;
determine whether the extracted data representative of a process identifier is for a protected process; and
determine whether the process that called the predetermined application programming interface is a trusted process.
15. The tangible non-transitory computer readable medium of claim 14, wherein the instructions to determine whether the call contains data representative of one of a group consisting of a protected process, a protected thread, and both a protected process and a protected thread are operable to determine whether the process that called the predetermined application programming interface is on a list of trusted processes.
16. An apparatus, comprising:
a processor;
logic encoded on a tangible, non-transitory computer readable medium for execution by the processor and when executed operable to:
create a hook into a predefined kernel application programming interface of an operating system to protect one of group consisting of a protected process and a protected thread;
intercept, via the hook, a command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread;
determine whether the command originated from a predefined process; and prevent the command to one of the group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread from executing responsive to determining the command did not originate from the predefined process.
17. The apparatus of claim 16, the logic is further operable to:
intercept a second command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread;
determine whether the second command originated from a predefined process; and allow the process from one of the group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread responsive to determining the second command originated from the predefined process.
18. The apparatus of claim 16, wherein the one of a group consisting of the protected process and the protected thread is a process.
19. The apparatus of claim 16, wherein the one of a group consisting of the protected process and the protected thread is a thread.
20. The apparatus of claim 16, wherein the command to one of a group consisting of suspend and terminate the one of the group consisting of the protected process and the protected thread is a command to suspend a protected process.
PCT/BR2015/000184 2014-12-15 2015-12-15 Protection driver for defense against process or thread termination WO2016094985A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201462091923P 2014-12-15 2014-12-15
US62/091,923 2014-12-15

Publications (1)

Publication Number Publication Date
WO2016094985A1 true WO2016094985A1 (en) 2016-06-23

Family

ID=56125474

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/BR2015/000184 WO2016094985A1 (en) 2014-12-15 2015-12-15 Protection driver for defense against process or thread termination

Country Status (1)

Country Link
WO (1) WO2016094985A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110046502A (en) * 2019-04-08 2019-07-23 中国科学院软件研究所 A kind of configurable function API monitoring method based on the efficient HASH of virtualization

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070878A1 (en) * 2007-09-10 2009-03-12 Hao Wang Malware prevention system monitoring kernel events
US8161552B1 (en) * 2009-09-23 2012-04-17 Trend Micro, Inc. White list creation in behavior monitoring system
US20120255014A1 (en) * 2011-03-29 2012-10-04 Mcafee, Inc. System and method for below-operating system repair of related malware-infected threads and resources

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070878A1 (en) * 2007-09-10 2009-03-12 Hao Wang Malware prevention system monitoring kernel events
US8161552B1 (en) * 2009-09-23 2012-04-17 Trend Micro, Inc. White list creation in behavior monitoring system
US20120255014A1 (en) * 2011-03-29 2012-10-04 Mcafee, Inc. System and method for below-operating system repair of related malware-infected threads and resources

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110046502A (en) * 2019-04-08 2019-07-23 中国科学院软件研究所 A kind of configurable function API monitoring method based on the efficient HASH of virtualization
CN110046502B (en) * 2019-04-08 2020-12-04 中国科学院软件研究所 Configurable function API monitoring method based on virtualized efficient HASH

Similar Documents

Publication Publication Date Title
US10032024B2 (en) System and method for virtual partition monitoring
US9280664B2 (en) Apparatus and method for blocking activity of malware
US8621628B2 (en) Protecting user mode processes from improper tampering or termination
KR102075372B1 (en) Exception handling in a data processing apparatus having a secure domain and a less secure domain
US9990490B2 (en) Generic privilege escalation prevention
US20160232347A1 (en) Mitigating malware code injections using stack unwinding
US11042633B2 (en) Methods for protecting software hooks, and related computer security systems and apparatus
WO2015119522A2 (en) Systems and methods for detecting return-oriented programming (rop) exploits
CA3021285C (en) Methods and systems for network security
US9037823B2 (en) Protecting IAT/EAT hooks from rootkit attacks using new CPU assists
CN111919198B (en) Kernel function callback method and system
US9596261B1 (en) Systems and methods for delivering context-specific introspection notifications
US9536084B1 (en) Systems and methods for delivering event-filtered introspection notifications
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
US20140157411A1 (en) Safety protection method and safety protection device
CN106650410B (en) Permission control method and device for android applications
WO2016094985A1 (en) Protection driver for defense against process or thread termination
US9531735B1 (en) Systems and methods for delivering introspection notifications from a virtual machine
US20180226136A1 (en) System management mode test operations
US11328055B2 (en) Process verification
CN113836529A (en) Process detection method, device, storage medium and computer equipment
CN109711153B (en) Windows process protection method and system
Liao et al. A stack-based lightweight approach to detect kernel-level rookits
WO2016094990A1 (en) Self-protecting file protection
KR20120126665A (en) Malicious program blocking apparatus and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15868730

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15868730

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 06/11/2017)