摘要 |
Techniques are described herein for loading a user-mode component of a security agent based on an asynchronous procedure call (APC) built by a kernel-mode component of the security agent. The APC is executed while a process loads, causing the process to load the user-mode component. The user-mode component then identifies slack space of the process, stores instructions in the slack space, and hooks function(s) of the process, including modifying instruction(s) of the function(s) to call the instructions stored in the slack space. When those modified instruction(s) call the stored instructions, the stored instructions invoke the user-mode component, which receives data from the hooked function(s). Also, the security agent may bypass a control-flow protection mechanism of the operating system by setting a pointer of the control-flow protection mechanism to point to an alternate verification function. |
主权项 |
1. A system comprising:
a processor; memory coupled to the processor; a kernel-mode component configured to be operated by the processor to receive notification of loading of a user-mode process by the system, to build an asynchronous procedure call (APC) to be executed by a main thread of the user-mode process, and to queue the APC to the main thread of the user-mode process; and a user-mode component associated with the kernel-mode component and configured to be operated by the processor to identify slack space in the user-mode process, to store instructions for invoking the user-mode component in the slack space, and to hook a function of the user-mode process, wherein the APC includes:
a kernel routine which calls instructions for allocating memory and for storing, in the allocated memory, instructions for loading the user-mode component, anda user routine which calls the instructions for loading the user-mode component, wherein the user-mode component, when loaded responsive to the user routine, hooks the function by modifying a single instruction or set of machine-sized instructions associated with the function to call the instructions stored in the slack space, and wherein the single instruction or set of machine-sized instructions of the function, when executed, performs the call, which results in invoking the user-mode component to receive data associated with the function and to provide that data to the kernel-mode component. |