| 摘要 |
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying and processing malicious threads In one aspect, a method includes identifying a memory heap block; identifying threads that reside in the memory heap block; determining whether at least one of the identified threads in the memory heap block is a malicious thread; and in response to determining that at least one of the identified threads is a malicious thread, terminating each of the identified threads. |
| 主权项 |
1. A computer-implemented method to terminate a malicious thread, the method executed by a data processing apparatus and comprising:
identifying, in computer memory, a memory heap assigned to a particular computer process, the memory heap comprising a plurality of memory heap blocks; determining that a particular one of the plurality of memory heap blocks is a malicious memory heap block added by a malicious source to the memory block assigned to the particular computer process; identifying that one or more threads have a start address that resides within the malicious memory heap block, the one or more threads comprising a subset of a plurality of threads; performing an analysis on each thread in the subset of threads based on each thread in the subset having a start address within the malicious memory heap block, to determine, for each of the threads in the subset, whether the thread is a malicious thread injected into the particular computer process by malware, the analysis comprising, for each of the threads in the subset, identifying a signature for the thread and comparing the signature for the thread to signatures of known malicious threads, the particular computer process comprising a non-malicious process, and at least one of the subset of threads is a non-malicious thread of the particular computer process; and terminating threads in the subset of threads determined through the analysis to be malicious, where the at least one non-malicious thread is preserved. |
