Search
Patexia Research
Issue Date Jan 21, 2021
Claim this application
PDF Unavailable

Patent Application - Prevention of Hash-Based API Importing > Claims

  • 1. A method for preventing a hash-based application programming interface (API) importing comprising: allocating a name page and a guard page in memory, the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application;filling the name page with valid non-zero characters;changing protections on the guard page to no access; andinserting an entry into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page.
    • 2. The method of claim 1, wherein the name page and the guard page are both initially allocated with read write permissions.
    • 3. The method of claim 1, wherein the entry inserted into the address of names array is inserted at a beginning of the address of names array.
      • 4. The method of claim 3 further comprising: inserting a new entry at a beginning of the address of name ordinals array having any value.
    • 5. The method of claim 1, wherein the operating system is MICROSOFT WINDOWS.
    • 6. The method of claim 1, wherein the name page and the guard page are adjacent in the memory.
    • 7. The method of claim 1, wherein the filled name page does not include a null terminator.
    • 8. The method of claim 1 further comprising: traversing, by a hash algorithm, the address of names array until a pointer to the name page is selected;initially accessing, by the hash algorithm, the name page;subsequently accessing, by the hash algorithm, the guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein.
    • 9. The method of claim 1 further comprising: raising a memory access violation when the guard page is accessed.
      • 10. The method of claim 9 further comprising: catching, by a vectored exception handler, the memory access violation; andcausing the program to affirmatively terminate rather than crash.
        • 11. The method of claim 10 further comprising: ignoring, by the vectored exception handler, exceptions other than the memory access violation causing the program to crash.
  • 12. A system for preventing a hash-based application programming interface (API) importing, the system comprising: at least one data processor; andmemory storing instructions which, when executed by the at least one data processor, result in operations comprising: allocating a name page and a guard page in memory, the name page and the guard page being associated with (i) an address of names array, (ii) an address of name ordinal array, and (iii) an address of functions array that are all generated by an operating system upon initiation of an application;filling the name page with valid non-zero characters;changing protections on the guard page to no access; andinserting an entry into the address of names array pointing to a relative virtual address corresponding to anywhere within the name page.
    • 13. The system of claim 12, wherein the name page and the guard page are both initially allocated with read write permissions.
    • 14. The system of claim 12, wherein the entry inserted into the address of names array is inserted at a beginning of the address of names array; and wherein the operations further comprise: inserting a new entry at a beginning of the address of name ordinals array having any value.
    • 15. The system of claim 12, wherein the operating system is MICROSOFT WINDOWS.
    • 17. The system of claim 12, wherein the filled name page does not include a null terminator.
    • 18. The system of claim 12, wherein the operations further comprise: traversing, by a hash algorithm, the address of names array until a pointer to the name page is selected;initially accessing, by the hash algorithm, the name page;subsequently accessing, by the hash algorithm, the guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein.
    • 19. The system of claim 12, wherein the operations further comprise: raising a memory access violation when the guard page is accessed.catching, by a vectored exception handler, the memory access violation;causing the program to affirmatively terminate rather than crash; andignoring, by the vectored exception handler, exceptions other than the memory access violation causing the program to crash.
  • 16. The system of claim 121, wherein the name page and the guard page are adjacent in the memory.
  • 20. A method comprising: traversing, by a hash algorithm associated with a program, an address of names array until a pointer to a name page is selected;initially accessing, by the hash algorithm, the name page;subsequently accessing, by the hash algorithm, a corresponding guard page after determining that the name page does not include a NULL byte signifying end of a string encapsulated therein;causing the program to terminate upon access of the guard page.
Menu