Hypervisor-Based Interception of Memory Accesses

    公开(公告)号:US20170255778A1

    公开(公告)日:2017-09-07

    申请号:US15063086

    申请日:2016-03-07

    申请人: CrowdStrike, Inc.

    IPC分类号: G06F21/57 G06F9/455

    摘要: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

    Integrity Assurance Through Early Loading in the Boot Phase
    23.
    发明申请
    Integrity Assurance Through Early Loading in the Boot Phase 审中-公开
    在启动阶段通过早期加载的完整性保证

    公开(公告)号:US20170061127A1

    公开(公告)日:2017-03-02

    申请号:US14810840

    申请日:2015-07-28

    申请人: CrowdStrike, Inc.

    IPC分类号: G06F21/57

    CPC分类号: G06F21/575

    摘要: Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.

    摘要翻译: 本文描述了利用库和预引导组件来确保在引导阶段期间在其他驱动程序之前初始化与内核模式组件相关联的驱动程序的技术。 库组件在引导阶段进行处理; 预引导组件可以是库组件的替代,在预引导阶段期间被处理。 通过确保驱动程序是初始化的第一个驱动程序,组件使驱动程序能够在其他驱动程序初始化之前启动内核模式组件。 库组件还可以确定在内核模式组件驱动程序之前是否要初始化其他驱动程序,可以确保内核模式组件驱动程序首先被初始化,并且可以提醒内核模式组件。 此外,库组件可以在初始化驱动程序之前检索操作系统要删除的信息,并可将该信息提供给内核模式组件。

    Social Sharing of Security Information in a Group
    24.
    发明申请
    Social Sharing of Security Information in a Group 有权
    社团分享安全信息

    公开(公告)号:US20150326614A1

    公开(公告)日:2015-11-12

    申请号:US14792177

    申请日:2015-07-06

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L29/06

    摘要: Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.

    摘要翻译: 本文描述了形成组的客户端实体之间的社交共享安全信息的技术。 客户端实体组由安全服务器的结果形成,该安全服务器提供一个或多个安全机制,用于在客户端实体之间形成组,每个属于不同组织的客户实体。 然后,安全服务自动与组中的一个或多个其他客户端实体共享组中的客户端实体的安全信息。

    Event Model for Correlating System Component States
    25.
    发明申请
    Event Model for Correlating System Component States 有权
    相关系统组件状态的事件模型

    公开(公告)号:US20150101044A1

    公开(公告)日:2015-04-09

    申请号:US14048920

    申请日:2013-10-08

    申请人: CrowdStrike, Inc.

    IPC分类号: G06F21/50

    摘要: A computing device described herein is configured to receive a notification of an event associated with a plurality of system components. In response, the computing device determines a state for the system components based on a state for one of those system components specified in an event model. That specified state in the event model reflects a previous occurrence of another event.

    摘要翻译: 这里描述的计算设备被配置为接收与多个系统组件相关联的事件的通知。 作为响应,计算设备基于事件模型中指定的那些系统组件之一的状态来确定系统组件的状态。 事件模型中的指定状态反映了先前发生的另一个事件。

    Irrelevant Code Identification
    26.
    发明申请
    Irrelevant Code Identification 审中-公开
    不相关的代码识别

    公开(公告)号:US20150033339A1

    公开(公告)日:2015-01-29

    申请号:US13953608

    申请日:2013-07-29

    申请人: CrowdStrike, Inc.

    发明人: Jason Geffner

    IPC分类号: G06F21/56

    CPC分类号: G06F21/56

    摘要: The techniques described herein identify, and/or distinguish between, legitimate code and/or irrelevant code in programs so that an analyst does not have to spend additional time sifting through and/or considering the irrelevant code when viewing the code of the program. Therefore, the analyst can be more efficient when determining a type of a program (e.g., malware) and/or when determining the actions of the program. For instance, a security researcher may be tasked with identifying the malware and/or determining the harmful or deceptive actions the malware executes on a computer (e.g., deletion of a file, the targeting of sensitive information such as social security numbers or credit card numbers, etc.).

    摘要翻译: 本文描述的技术在程序中识别和/或区分合法代码和/或不相关的代码,使得当查看程序的代码时,分析人员不必花费额外的时间筛选和/或考虑不相关的代码。 因此,当确定程序的类型(例如,恶意软件)和/或在确定程序的动作时,分析者可以更有效率。 例如,安全研究人员可能负责识别恶意软件和/或确定恶意软件在计算机上执行的有害或欺骗行为(例如删除文件,敏感信息的定位,如社会安全号码或信用卡号码 等)。

    Securely and efficiently providing user notifications about security actions

    公开(公告)号:US11687649B2

    公开(公告)日:2023-06-27

    申请号:US17008038

    申请日:2020-08-31

    申请人: Crowdstrike, Inc.

    摘要: A security agent executing in kernel mode may receive a request from the anti-malware component executing with low privileges in user mode, and, in response, the security agent may perform a security action with respect to a malicious file detected on the computing device. The security agent may then assist the anti-malware component in providing a user notification about the security action by obtaining, on behalf of the anti-malware component, a user token associated with the user session in which the malicious file was detected. The anti-malware component can use the obtained user token to request a pointer to a Component Object Model (COM) interface for outputting the notification in context of the appropriate user session, which allows for securely and efficiently providing the user notification.

    MALICIOUS INCIDENT VISUALIZATION
    28.
    发明公开

    公开(公告)号:US20230164152A1

    公开(公告)日:2023-05-25

    申请号:US18094580

    申请日:2023-01-09

    申请人: CrowdStrike, Inc.

    IPC分类号: H04L9/40

    摘要: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.

    Firmware retrieval and analysis
    30.
    发明授权

    公开(公告)号:US11599641B2

    公开(公告)日:2023-03-07

    申请号:US16855585

    申请日:2020-04-22

    申请人: CrowdStrike, Inc.

    摘要: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.