TECHNOLOGIES FOR PREVENTING HOOK-SKIPPING ATTACKS USING PROCESSOR VIRTUALIZATION FEATURES

摘要

Technologies for monitoring system API calls include a computing device with hardware virtualization support. The computing device establishes a default memory view and a security memory view to define physical memory maps and permissions. The computing device executes an application in the default memory view and executes a default inline hook in response to a call to an API function. The default inline hook switches to the security memory view using hardware support without causing a virtual machine exit. The security inline hook calls a security callback function to validate the API function call in the security memory view. Hook-skipping attacks may be prevented by padding the default inline hook with no-operation instructions, by designating memory pages of the API function as non-executable in the default memory view, or by designating memory pages of the application as non-executable in the security memory view. Other embodiments are described and claimed.

主权项

1. A computing device for monitoring an application programming interface (API), the computing device comprising:
a view management module to: (i) establish a default memory view, wherein the default memory view defines a first physical memory map of the computing device and a first set of memory permissions and (ii) establish a security memory view, wherein the security memory view defines a second physical memory map of the computing device and a second set of memory permissions; and a security module to:
execute a default inline hook with the default memory view in response to a call of an API function from an application;switch to the security memory view without a virtual machine exit event in response to execution of the default inline hook;execute a security inline hook with the security memory view in response to a switch to the security memory view; andcall an anti-malware callback function in response to execution of the security inline hook.