CPC G06F 21/54 (2013.01) [G06F 21/554 (2013.01); G06F 2221/033 (2013.01)] | 20 Claims |
1. A system comprising:
a processor; and
a memory coupled to the processor, the memory storing computer executable instructions executable to:
generate a list of exportable functions accessible to an executable program;
identify a first function name relative virtual address (RVA) corresponding to a first function in the list of exportable functions;
identify a last function name RVA corresponding to a last function in the list of exportable functions;
modify the first function name RVA to point to a restricted memory location, thereby creating a modified function name RVA;
detect an exception that indicates an attempt to access the restricted memory location of the modified function name RVA;
compare an instruction pointer address associated with the exception to an allowed range of memory addresses for system functions, the allowed range comprising a lower boundary corresponding to the first function name RVA and an upper boundary corresponding to the last function name RVA;
determine that the instruction pointer address is outside the allowed range of memory addresses for system functions; and
when the memory address of the exception is outside the allowed range, provide an indication of an anomaly for the executable program.
|