Selective assessment of maliciousness of software code executed in the address space of a trusted process

摘要

System and method for detection of malicious code injected into processes associated with known programs. Execution of processes in a computer system is monitored. From among the processes being monitored, only certain processes are selected for tracking. For each of the processes selected, function calls made by threads of the process are tracked. From among the tracked function calls, only those function calls which are critical function calls are identified. For each identified critical function call, program instructions that caused the critical function call are subjected to analysis to assess their maliciousness.

主权项

1. A method for detection of malicious code injected into processes associated with known programs in a computing device comprising a plurality of computing resources including computing hardware and an operating system executing on the computing hardware, and a plurality of programs interfaced with the computing resources and executable as processes having one or more threads, the method comprising:
monitoring execution of processes on the computing hardware, each of the processes capable of executing program code; selecting, from among the processes being monitored, a subset of processes consisting of only those processes which are susceptible processes, wherein the selecting is based on predefined process selection criteria that relates to a likelihood of malicious code being present; for each of the susceptible processes of the subset of processes selected, tracking function calls made by threads of the process; identifying, from among the tracked function calls, a subset of function calls consisting of only those function calls which are critical function calls, wherein the identifying of the critical function calls is based on critical function determination criteria that relates to a likelihood of malicious code being executed in an address space of a susceptible process by creation of a new thread or a new process in the address space of the susceptible process; for each identified critical function call, identifying program instructions that caused the critical function call; and assessing maliciousness of the program instructions based on predefined assessment criteria.