To facilitate prevention of malicious code from executing on computing devices, users often install protection systems thereon, wherein protection systems include but are not limited to anti-malware systems (e.g., anti-virus systems), anti-spyware systems, or the like. Malicious code that is desirably detected by such protection systems includes viruses, root kits, or some other form of malware. Currently available protection systems utilize various techniques to identify potential attacks on a computer system. An exemplary technique is to perform a scan of computer-readable storage on a computing device to identify any files that may possibly be harmful to the computing device. Another technique that is employed by protection systems is referred to as active monitoring, wherein a protection system actively intercepts system events as they occur on the computing device, and the protection system then interprets associated states of such events in accordance with the goals of the protection system. Exemplary events that are intercepted by conventional protection systems include events of reading data from a file, writing data to a file, creating a new file, opening a network connection, amongst other system events. The protection system may then analyze the state of the computing device to ascertain whether the event may correspond to an attack on the computer.
Some active monitoring solutions currently employed by conventional protection systems rely on the use of primitives that are known as “code execution hooks.” To implement a code execution hook, existing code is patched or control data is modified (such as function pointers) to diverge the control flow of an operating system into a handler of the protection system each time an event of interest is triggered. With more specificity, operating systems typically expose functions for performing system events. By monitoring system events, an inference can be made that one of the exposed functions has been called (e.g., file read, file write functions), and the protection system can be notified. A sophisticated attacker, however, may obtain a copy of the exposed functions and cause them to be executed without generating a corresponding system event.
Another inherent flaw in conventional computer security is that the protection systems are installed on the computing devices that they are configured to protect. Therefore, if a malicious process is able to obtain certain privileges, the process can disable the protection system on the computing device, thereby rendering such protection system ineffective against attacks directed towards the computing device.