摘要 |
<p>A method of detecting suspicious code that has been injected into a process. The method comprises: identifying suspicious executable memory areas assigned to the process and, for each thread in the process, inspecting a stack associated with the thread to identify a potential return address; determining whether or not the potential return address is located within a suspicious memory area; and, if the potential return address is located within a suspicious memory area, determining whether or not the instruction at the address preceding the potential return address is a function call and, if yes, determining that the potential return address is a true return address and identifying the thread and associated code as suspicious.</p> |