Esc

Memory Boundary Tracking

Definition

Analyzing a call stack for return addresses which point to unexpected memory locations.

How it works

This technique monitors for indicators of whether a return address is outside memory previously allocated for an object (i.e. function, module, process, or thread). If so, code that the return address points to is treated as malicious code.

Considerations

Kernel malware can manipulate memory contents, for example modifying pointers to hide processes, and thereby impact the accuracy of memory allocation information used to perform the analysis.

json

References

All

Patent

The following references were used to develop the Memory Boundary Tracking knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Inferential exploit attempt detection

Reference Type: Patent Organization: Crowdstrike Inc Author: Daniel W. Brown; Ion-Alexandru Ionescu; Loren C. Robinson

Source: https://patents.google.com/patent/US10216934B2/en?oq=US-10216934-B2

D3FEND^™

A knowledge graph of cybersecurity countermeasures