Abstract: Embodiments disclosed herein include an apparatus with a processor configured to receive an indication of a function call to an identified shared library and configured to perform an identified function. The processor is configured to insert a function hook in the shared library. The function hook is configured to pause the execution of the shared library when called. In response to the function hook, the processor is configured to identify a source location in one or more memories associated with an origin of the function call to the shared library. The processor is configured to scan a range of memory addresses associated with the source location in the one or more memories, and identify, based on the scanning, a potentially malicious process within the range of memory addresses.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: Secrets such as secure session cookies for a web browser can be protected on a compute instance with multiple layers of encryption, such as by encrypting key material that in turn controls cryptographic access to the secret. A compute instance can be instrumented to detect when a process attempts to decrypt this key material so that the process requesting decryption can be compared to authorized or legitimate users of the secret.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: Embodiments disclosed herein include an apparatus with a processor configured to receive an indication of a function call to an identified shared library and configured to perform an identified function. The processor is configured to insert a function hook in the shared library. The function hook is configured to pause the execution of the shared library when called. In response to the function hook, the processor is configured to identify a source location in one or more memories associated with an origin of the function call to the shared library. The processor is configured to scan a range of memory addresses associated with the source location in the one or more memories, and identify, based on the scanning, a potentially malicious process within the range of memory addresses.

Abstract: A computer-implemented method includes detecting, by a computing device, a request from a macro included in a document file that is open in a software application executing on the computing device, where the macro comprises executable code and where the document file further includes non-executable document content. The method further includes determining if the request includes simulation of a physical keystroke based on detecting that the request includes a function call to a function that synthesizes keystrokes. The method further includes responsive to determining that the request includes simulation of the physical keystroke, preventing the request from being satisfied.

Abstract: Secrets such as secure session cookies for a web browser can be protected on a compute instance with multiple layers of encryption, such as by encrypting key material that in turn controls cryptographic access to the secret. A compute instance can be instrumented to detect when a process attempts to decrypt this key material so that the process requesting decryption can be compared to authorized or legitimate users of the secret.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: Secrets such as secure session cookies for a web browser can be protected on a compute instance with multiple layers of encryption, such as by encrypting key material that in turn controls cryptographic access to the secret. A compute instance can be instrumented to detect when a process attempts to decrypt this key material so that the process requesting decryption can be compared to authorized or legitimate users of the secret.