A computer is protected from argument switch attacks by intercepting a function call to terminate a process. The function call and a handle used as an argument in the function call are forwarded by an antivirus system service descriptor table to an antivirus. The antivirus is configured to evaluate the function call to determine whether or not the function call is terminating an antivirus process. A consistent handle table includes a listing of handles of processes employed as arguments in function calls that terminate processes and are approved by the antivirus. Instructions that close a handle are detected by the antivirus, which compares the handle to those in the consistent handle table. The antivirus blocks those instructions that close a handle that is included in the consistent handle table.
展开▼
