摘要 |
<p>Suspicious memory areas assigned to a process being run on a computer system are identified 1. Preferably these suspicious areas are identified by collecting a first list of memory areas containing modules loaded to the process and a second list of all memory areas that are executable but not in the first list, the second list corresponding to suspicious memory areas. For each thread in the process a block of memory is identified where code for the thread is located 2. It is determined whether said memory block is located within said suspicious memory areas 3. If so, a stack associated with the thread is inspected to determine whether or not the stack contains a function call leading to an executable memory area having a return address pointing to said memory block 4. If it is determined that the stack contains such a function call it is determined that the thread is running suspicious code that has been injected into the process. Threads found to be running suspicious code may be terminated.</p> |