D3-MBT

Detect
Memory Boundary Tracking

Definition

Analyzing a call stack for return addresses which point to unexpected memory locations.

How it works

This technique monitors for indicators of whether a return address is outside memory previously allocated for an object (i.e. function, module, process, or thread). If so, code that the return address points to is treated as malicious code.

Considerations

Kernel malware can manipulate memory contents, for example modifying pointers to hide processes, and thereby impact the accuracy of memory allocation information used to perform the analysis.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
Memory Boundary Tracking
Process Code Segment

References

Reference - Inferential exploit attempt detection - Crowdstrike Inc