	US 12,242,608 B2
	Apparatus and methods for an application programming interface to detect and locate malware in memory
Mark Willem Loman, Delden (NL); Lute Edwin Engels, Hengelo (NL); Ronny Henk Gert Tijink, Hengelo (NL); and Alexander Vermaning, Enschede (NL)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on Dec. 27, 2022, as Appl. No. 18/089,474.
Prior Publication US 2024/0211597 A1, Jun. 27, 2024
Int. Cl. G06F 21/56 (2013.01); G06F 12/14 (2006.01)

CPC G06F 21/566 (2013.01) [G06F 12/14 (2013.01); G06F 21/564 (2013.01)]

20 Claims

1. An apparatus, comprising:

one or more memories; and

one or more processors operatively coupled to the one or more memories, the one or more processors configured to:

identify a function call to a shared library;

in response to the function call, insert a function hook into the shared library while loading the shared library into the one or more memories, the function hook configured to cause the one or more processors to pause execution of the shared library while executing a predetermined function;

execute the predetermined function and, based on the execution of the predetermined function, scan a range of memory addresses located in the one or more memories, the range of memory addresses being determined based on the function call to the shared library;

determine, based on the scan of the range of memory addresses, a presence or absence of a potentially malicious process stored in the one or more memories;

locate a potentially malicious process stored in the one or more memories at a location within the range of memory addresses, during a pausing of the execution of the shared library; and

positively identify the potentially malicious process as a malware beacon.