公开(公告)号：US10356047B2

公开(公告)日：2019-07-16

申请号：US14098246

申请日：2013-12-05

Applicant: CrowdStrike, Inc.

Inventor： Ion-Alexandru Ionescu

IPC: H04L12/26 ,  H04L29/06 ,  H04L29/08 ,  G06F9/54 ,  G06F21/54

Abstract: A service proxy is described herein. The service proxy is configured to act as an intermediary between a client and a service. The service proxy may observe communications, modify communications, log communications, or the like, particularly so as to enhance the security and reliability of the host device. In some implementations, the service proxy may cooperate with an operating system to take over a named port object. In some implementations, the service proxy may receive messages as an intermediary between the client and the server. In some implementations, the service proxy may attach to a shared memory to intercept communications. In some implementations, the service proxy may be injected into a client process to appear to be the client itself.

公开(公告)号：US20190188384A1

公开(公告)日：2019-06-20

申请号：US16224678

申请日：2018-12-18

Applicant: CrowdStrike, Inc.

Inventor： Satoshi Tanda ,  Ion-Alexandru Ionescu

IPC: G06F21/56 ,  G06F21/51 ,  G06F21/55

CPC classification number: G06F21/566 ,  G06F21/51 ,  G06F21/554 ,  G06F2221/034

Abstract: Described herein are systems, techniques, and computer program products for preventing execution, by a scripting engine, of harmful commands that may be introduced by computer malware or other mechanisms. The system identifies certain host processes that may attempt to utilize a hosted scripting engine. An unmanaged interface module is injected into an identified host process. The unmanaged interface module is configured to detect certain conditions indicating the likelihood that a scripting engine will be instantiated, and in response to inject a managed interface module into the host process. The managed interface module hooks into certain methods of the scripting engine to intercept commands before they are executed by the scripting engine. The managed and unmanaged interface components then communicate with a kernel-mode threat detection component to determine whether any commands should be blocked.

公开(公告)号：US20170255778A1

公开(公告)日：2017-09-07

申请号：US15063086

申请日：2016-03-07

Applicant: CrowdStrike, Inc.

Inventor： Ion-Alexandru Ionescu

IPC: G06F21/57 ,  G06F9/455

CPC classification number: G06F21/57 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/54 ,  G06F21/554 ,  G06F2009/45583 ,  G06F2221/034

Abstract: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

公开(公告)号：US09621515B2

公开(公告)日：2017-04-11

申请号：US14709779

申请日：2015-05-12

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Dmitri Alperovitch ,  Ion-Alexandru Ionescu ,  George Robert Kurtz

IPC: H04L29/06 ,  G06F21/56 ,  G06F9/46 ,  G06F21/55 ,  H04L12/24

CPC classification number: G06F21/566 ,  G06F9/46 ,  G06F21/554 ,  G06F21/56 ,  G06F21/567 ,  G06F21/568 ,  G06F2221/034 ,  G06N5/04 ,  H04L41/0803 ,  H04L63/0245 ,  H04L63/1441

Abstract: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

公开(公告)号：US20170061127A1

公开(公告)日：2017-03-02

申请号：US14810840

申请日：2015-07-28

Applicant: CrowdStrike, Inc.

Inventor： Ion-Alexandru Ionescu

IPC: G06F21/57

CPC classification number: G06F21/575

Abstract: Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.

Abstract translation: 本文描述了利用库和预引导组件来确保在引导阶段期间在其他驱动程序之前初始化与内核模式组件相关联的驱动程序的技术。 库组件在引导阶段进行处理; 预引导组件可以是库组件的替代，在预引导阶段期间被处理。 通过确保驱动程序是初始化的第一个驱动程序，组件使驱动程序能够在其他驱动程序初始化之前启动内核模式组件。 库组件还可以确定在内核模式组件驱动程序之前是否要初始化其他驱动程序，可以确保内核模式组件驱动程序首先被初始化，并且可以提醒内核模式组件。 此外，库组件可以在初始化驱动程序之前检索操作系统要删除的信息，并可将该信息提供给内核模式组件。

公开(公告)号：US11687649B2

公开(公告)日：2023-06-27

申请号：US17008038

申请日：2020-08-31

Applicant: Crowdstrike, Inc.

Inventor： Ion-Alexandru Ionescu

IPC: G06F21/00 ,  G06F21/55 ,  G06F9/54 ,  G06F21/33 ,  G06F21/56

CPC classification number: G06F21/554 ,  G06F9/545 ,  G06F9/547 ,  G06F21/33 ,  G06F21/566

Abstract: A security agent executing in kernel mode may receive a request from the anti-malware component executing with low privileges in user mode, and, in response, the security agent may perform a security action with respect to a malicious file detected on the computing device. The security agent may then assist the anti-malware component in providing a user notification about the security action by obtaining, on behalf of the anti-malware component, a user token associated with the user session in which the malicious file was detected. The anti-malware component can use the obtained user token to request a pointer to a Component Object Model (COM) interface for outputting the notification in context of the appropriate user session, which allows for securely and efficiently providing the user notification.

公开(公告)号：US11599641B2

公开(公告)日：2023-03-07

申请号：US16855585

申请日：2020-04-22

Applicant: CrowdStrike, Inc.

Inventor： Timo Kreuzer ,  Ion-Alexandru Ionescu ,  Aaron LeMasters

IPC: H04L29/06 ,  G06F21/57 ,  G06F13/42 ,  G06F21/44

Abstract: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.

公开(公告)号：US11423186B2

公开(公告)日：2022-08-23

申请号：US16248315

申请日：2019-01-15

Applicant: CrowdStrike, Inc.

Inventor： Aaron LeMasters ,  Ion-Alexandru Ionescu

IPC: G06F3/00 ,  G06F21/85 ,  G06F13/40 ,  G06F21/54

Abstract: Some example computing systems herein include two modules, e.g., drivers. A first can instantiate an interface associated with a service routine, receive, by the service routine, a verification message; and send, in response, a confirmation message via the interface. A second can locate the interface; open a handle to the interface; send the verification message via the handle, the verification message identifying at least an interface type or a version; and receive, via the handle, the confirmation message associated with the verification message. In some examples, the first driver is a Plug and Play driver. In some examples, the first module can receive, by the service routine, a command associated with the interface; determine that the command is a valid command based at least in part on stored command data; and send, via the interface, a response to the command.

公开(公告)号：US11113425B2

公开(公告)日：2021-09-07

申请号：US15873670

申请日：2018-01-17

Applicant: Crowdstrike, Inc.

Inventor： Aaron LeMasters ,  Ion-Alexandru Ionescu

IPC: G06F21/00 ,  G06F21/82 ,  G06F13/40 ,  G06F21/71 ,  G06F13/38 ,  G06F21/56 ,  G06F21/57 ,  G06F21/55 ,  G06F9/4401 ,  G06F21/85 ,  G06F13/20

Abstract: A plug-and-play (PnP) driver associated with a security agent is described herein. The PnP driver attaches to device stacks of enumerated bus devices of a computing device as upper-device or lower-device filters based on the device classes of the enumerated bus devices. For example, the PnP driver may attach to the device stack of a hub or controller device as an upper-device filter and to device stacks of other devices as lower-device filters. Either while attaching or after attachment, the PnP driver may take action to alter, limit, or otherwise block functionality of an enumerated bus device. The PnP driver may also perform a system inventory of enumerated bus devices connected to the computing device and create fingerprints for one or more of the computing devices. Additionally, the PnP driver may create and remove control device objects (CDOs) to enable communication with user-mode processes or threads.

公开(公告)号：US20190220626A1

公开(公告)日：2019-07-18

申请号：US15873670

申请日：2018-01-17

Applicant: CrowdStrike, Inc.

Inventor： Aaron LeMasters ,  Ion-Alexandru Ionescu

IPC: G06F21/82 ,  G06F13/40 ,  G06F21/71 ,  G06F13/38 ,  G06F21/56 ,  G06F21/57

CPC classification number: G06F21/82 ,  G06F9/4415 ,  G06F13/20 ,  G06F13/385 ,  G06F13/387 ,  G06F13/4063 ,  G06F21/554 ,  G06F21/56 ,  G06F21/572 ,  G06F21/71 ,  G06F21/85 ,  G06F2221/2141

Abstract: A plug-and-play (PnP) driver associated with a security agent is described herein. The PnP driver attaches to device stacks of enumerated bus devices of a computing device as upper-device or lower-device filters based on the device classes of the enumerated bus devices. For example, the PnP driver may attach to the device stack of a hub or controller device as an upper-device filter and to device stacks of other devices as lower-device filters. Either while attaching or after attachment, the PnP driver may take action to alter, limit, or otherwise block functionality of an enumerated bus device. The PnP driver may also perform a system inventory of enumerated bus devices connected to the computing device and create fingerprints for one or more of the computing devices. Additionally, the PnP driver may create and remove control device objects (CDOs) to enable communication with user-mode processes or threads.