US 11,928,206 B2
Selective import/export address table filtering
Eric Klonowski, Broomfield, CO (US); and Ira Strawser, Thorton, CO (US)
Assigned to Open Text Inc., Menlo Park, CA (US)
Filed by Open Text Inc., Menlo Park, CA (US)
Filed on Apr. 20, 2023, as Appl. No. 18/304,231.
Application 18/304,231 is a continuation of application No. 16/683,816, filed on Nov. 14, 2019, granted, now 11,636,197.
Claims priority of provisional application 62/768,066, filed on Nov. 15, 2018.
Prior Publication US 2023/0252131 A1, Aug. 10, 2023
Int. Cl. G06F 21/54 (2013.01); G06F 21/55 (2013.01)
CPC G06F 21/54 (2013.01) [G06F 21/554 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system comprising:
a processor; and
a memory coupled to the processor, the memory storing computer executable instructions executable to:
generate a list of exportable functions accessible to an executable program;
identify a first function name relative virtual address (RVA) corresponding to a first function in the list of exportable functions;
identify a last function name RVA corresponding to a last function in the list of exportable functions;
modify the first function name RVA to point to a restricted memory location, thereby creating a modified function name RVA;
detect an exception that indicates an attempt to access the restricted memory location of the modified function name RVA;
compare an instruction pointer address associated with the exception to an allowed range of memory addresses for system functions, the allowed range comprising a lower boundary corresponding to the first function name RVA and an upper boundary corresponding to the last function name RVA;
determine that the instruction pointer address is outside the allowed range of memory addresses for system functions; and
when the memory address of the exception is outside the allowed range, provide an indication of an anomaly for the executable program.