Prevention of Information Attacks by Run-Time Detection of Self-replication in Computer Codes - Computer Network Security - page 62

Information Technology Reference

In-Depth Information

Monitor

System Call Handler

[Fake]

Function Call

API Processing

Unit

System Call

Information Dispatcher

System Call Handler

[Original]

User Mode

Kernel Mode

System Call

Fig. 3. Functionality of the System Calls Monitor

Table 1. Typical system call layout

Process ID

1023

Thread ID

1

System Call

NtCreateFile

Input Arguments

Access Mask

11000000000100000000000

010000000 (bin)

Length

24

Dir pointer

12

Object Name

“virus.exe”

Attributes

1000000

(bin)

(Obj_Case_Insensitive)

Security

Descriptor

0

SecurityQoS

0

Allocation Size

0

File Attributes

10000000 (bin) (NORMAL)

Share Access

0

Create Disposition

1 (FILE_OPEN)

Create Options

1100000 (bin)

Buffer

NULL

Buffer Length

0

Output Arguments

File Handle

56

Status

Block

status

0

info

1 (FILE_OPENED)

Result

0 (SUCCESS)

Next Page

Computer Network Security

Search WWH ::

Custom Search

Home