1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for protecting computers against argument switch attacks.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, technology for detecting malicious codes is also generally referred to as “antivirus.” Malicious codes have become so prevalent that experienced computer users have some form of antivirus in their computers. Antivirus for scanning data for malicious codes is commercially available from several vendors, including Trend Micro, Inc.
To detect malicious codes, an antivirus needs a way to intercept and evaluate potentially harmful events in the computer it is protecting. “SSDT hooking” is a popular antivirus interception technique whereby the antivirus modifies the contents of the system service descriptor table (SSDT) to redirect function calls to the antivirus. Unfortunately, SSDT hooking can be bypassed using the so-called “argument switch” attack, as described by researchers of matousec.com. In a nutshell, an argument switch attack involves changing the behavior of a function call after the function call has been deemed safe (i.e., non-malicious) by the antivirus. Argument switch attacks present a major problem because most commercially available antivirus relies on SSDT hooking. Worse, argument switch attacks are relatively easy to perpetrate given that they may be initiated even by applications running in user mode.