| 发明名称 | Computer security systems and methods using virtualization exceptions | ||
| 摘要 | Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking. | ||
| 申请公布号 | US9400885(B2) | 申请公布日期 | 2016.07.26 |
| 申请号 | US201414533670 | 申请日期 | 2014.11.05 |
| 申请人 | Bitdefender IPR Management Ltd. | 发明人 | Tosa Raul V.;Lutas Dan H.;Ticle Daniel I.;Lukacs Sandor |
| 分类号 | G06F21/55;G06F21/57;G06F9/455;G06F21/53;G06F21/74 | 主分类号 | G06F21/55 |
| 代理机构 | Law Office of Andrei D Popovici, PC | 代理人 | Law Office of Andrei D Popovici, PC |
| 主权项 | 1. A host system comprising at least one hardware processor configured to execute a hypervisor, the hypervisor further configured to: configure the at least one hardware processor to generate an exception in response to detecting a violation of a first memory access permission, the exception causing the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within a virtual machine exposed by the hypervisor, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and configure the memory access permission so that a first attempt to execute the target function violates the first memory access permission, wherein the computer security program is further configured, in response to the at least one hardware processor switching from executing the target function to executing the computer security program, to cause the at least one hardware processor to switch from enforcing the first memory access permission to enforcing a second memory access permission, the second memory access permission configured so that a second attempt to execute the target function does not violate the second memory access permission. | ||
| 地址 | Nicosia CY | ||