Independent Software Vendors (ISVs) currently produce a large number of software applications that run within the operating system (OS) context and offer management services to Enterprise information technology (IT) departments. Among the products being offered are asset tracking, application monitoring, system performance monitoring and provisioning, intrusion detection systems, and local firewalls. These products are installed using an agent/console model where the agent executes on a local client and communicates with a remote console. The remote console typically runs on a remote machine located elsewhere in the network. Typically, for security applications, the host agents have a supervisor mode or ring-0 component and may have a user mode component.
These software products are continually subjected to complex and evolving attacks by malware seeking to gain control of computer systems. Attacks can take on a variety of different forms ranging from attempts to crash a software program to subversion of the program for alternate purposes. More advanced attacks can even attempt to modify the program, and subsequently try to hide the modification from the system owner. Unfortunately, it is not difficult for an attacker who has gained supervisory privileges to compromise the agent model, by corrupting the process code or its associated data in memory.