Esc

Process Self-Modification Detection

D3-PSMD (Process Self-Modification Detection)

Definition

Detects processes that modify, change, or replace their own code at runtime.

How it Works

A security agent installed on the host machine intercepts API calls between a process and operating system. Intercepted API calls are then compared against attack signatures/patterns to identify API calls that modify executable memory or modify the entry point address of a suspended child process. Attack patterns include:

Executable code of a suspended child process removed from memory by one or more API calls.
New executable code injected and / or loaded into memory of a suspended child process by one or more API calls.
Executable code modified by one or more API calls.
Next instruction pointer value in memory modified by one or more API calls.

Considerations

Comparing loaded code segments of processes with what is expected to have been loaded from a file can result in false positives, due to legitimate uses of self-modification for decrypting or uncompressing code segments.

json

References

All

Patent

The following references were used to develop the Process Self-Modification Detection knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

System and Method for Process Hollowing Detection

Reference Type: Patent Organization: Carbon Black Inc Author: Jeffrey Albin Kraemer, Paul Matthew Drapeau

Source: https://patents.google.com/patent/US20170272462A1

D3FEND^™

A knowledge graph of cybersecurity countermeasures