Abstract: A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions.
Type:
Grant
Filed:
July 15, 2013
Date of Patent:
January 27, 2015
Assignee:
ESET, Spol. s.r.o.
Inventors:
Pawel Mirski, Peter Hlavaty, Peter Kosinar