| 摘要 |
A computer system is programmed to monitor threads of executable processes, determine whether any particular process has been hijacked by malicious code through code injection techniques of process hollowing, and prevent the malware process from executing. The system checks if the initial thread of the process has been created in a suspended state 110, and, if so, creates an copy of the original process 120 by mapping it from storage into a spare memory area where it will not be executed. The header of the first section of the suspicious process is compared with the header of the first section of the copy 130. If the two differ, then the suspicious process is terminated 140 before it can be executed. The method may comprise further steps of comparing the number of sections in the processes, all section headers, or the contents of the processes in their entirety. |
