Attackers may hijack or gain control of a computing device by injecting small portions of code (e.g., shellcode) into processes running on the device. For example, an attacker may insert a portion of code into an executable file that exploits security deficiencies of a device to open a command shell, which may be used by the attacker to control the device. Due to the potentially harmful consequences of these attacks (e.g., the unauthorized distribution of sensitive data and/or a user's loss of control of a computing device), security systems may attempt to detect and prevent maliciously-exploited processes on computing devices.
Unfortunately, traditional security services for detecting exploited or otherwise malicious processes may be unable to identify these processes until after they have already compromised a computing device. For example, a conventional security technology may determine that a process has been maliciously-exploited only after the process has performed one or more suspicious or dangerous behaviors. The instant disclosure, therefore, identifies and addresses a need for systems and methods for detecting malicious processes on computing devices.