1. Field of the Invention
The present invention relates generally to computers. More particularly, the present invention relates to a method and apparatus for monitoring code injection into a process executing on a computer.
2. Description of the Related Art
In computing, a “process” is generally a set of instructions (“code”) being executed by a computer. A computer typically executes several different processes. A process may include one or more “threads”. A thread is generally an individual task being performed by the process. Computer operating systems are typically multi-threaded such that multiple threads can execute concurrently.
Some operating systems support the injection of data into a process from a source outside of the process (generally referred to “injection”). For example, some MICROSOFT WINDOWS operating systems support application programming interface (API) functions for writing data to an area of memory dedicated to a process, e.g., the WriteProcessMemory function as defined in the WIN32 API. Such API functions can be used to inject code into a process (“code injection”) with the intent that the process execute the injected code. Code injection can be used as a valid mechanism for modifying execution of a process. However, code injection can also be used to inject malicious code into a process in order to achieve various malevolent purposes, such as gaining information, privileges, or computer access without authorization. For example, code injection can be used to execute in a trusted process as a way to circumvent security software. Some mechanisms for dealing with malicious code injection involve alerting the user every time a code injection operation is requested, and allowing the user to accept or deny the proposed code injection. Such alerts, however, presuppose that the user is experienced enough to understand why the code injection is being request and whether to allow or deny such code injection. Less savvy users may be confused and/or frustrated by such alerts, which increases the chances that they will inadvertently allow malicious code to be executed by their computers.
Accordingly, there exists a need in the art for monitoring code injection into a process executing on a computer that overcomes the aforementioned deficiencies.