Page replacement code injection

US 10,089,461 B1
Filed: 09/30/2013
Issued: 10/02/2018
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for behavior monitoring, comprising:

loading, by a virtual machine monitor (VMM), a first code section of a target program into a first memory page allocated to a virtual machine (VM);

injecting, by the VMM, a second code section into the target program by changing an address at which the target program executes from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of Instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused; and

determining the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to execution of the injected second code section, wherein the second code section is injected after the target program and the content specimen have been loaded within the VM.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for malicious content detection using code injection are described herein. In one embodiment a first code section of a target program is loaded into a first memory page of a virtual machine (VM) hosted by a virtual machine monitor (VMM). The target program to receive code injection. The VMM injects a second code section into the target program by replacing the first code section with a second code section loaded in a second memory page. Determining a behavior of a content specimen using the injected second code section instead of the first code section, and the second code section is injected after the target program.

404 Citations

23 Claims

1. A computer-implemented method for behavior monitoring, comprising:
- loading, by a virtual machine monitor (VMM), a first code section of a target program into a first memory page allocated to a virtual machine (VM);
  
  injecting, by the VMM, a second code section into the target program by changing an address at which the target program executes from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of Instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused; and
  
  determining the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to execution of the injected second code section, wherein the second code section is injected after the target program and the content specimen have been loaded within the VM.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein a memory location of the first memory page is an address reserved in response to creating an executable of the target program.
  - 3. The computer-implemented method of claim 1, further comprising:
    - detecting, by the VMIM, an injection ready status of the target program that has been loaded in the VM, wherein the injection ready status is a waiting state implemented by code of the target program to allow a code injection module to inject the second code section prior to executing the first code section.
  - 4. The computer-implemented method of claim 1, further comprising:
    - detecting, by the VMIM, a malware threat detection analysis of the target program; and
      
      selecting one of a plurality of code sections for injection in response to the respective behavior of the content specimen.
  - 5. The computer-implemented method of claim 1, wherein the second code section is received by the VMM from a remote facility over a network after the target program has been received by a data processing system in which the VM and the VMM are executed.
  - 6. The computer-implemented method of claim 1, wherein the first address and second address are both physical addresses, the first address being different than the second address.
  - 7. The computer-implemented method of claim 1, wherein the second code section initiates a memory dump to capture information associated with the content specimen.
  - 8. The computer-implemented method of claim 1, wherein the anomalous behavior is a behavior that identifies that the content specimen is suspicious.

9. A non-transitory machine-readable medium storing instructions, which when executed by a processor, cause the processor to perform a method for behavior monitoring, the method comprising:
- loading a first code section of a target program into a first memory page of a virtual machine (VM) hosted by a virtual machine monitor (VMM);
  
  injecting, by the VMM, a second code section into the target program by changing an address at which the target program executes the target program from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused; and
  
  determining the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to the injected second code section instead of the first code section, wherein the second code section is injected after the target program and the content specimen have been loaded within the VM.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory machine-readable medium of claim 9, wherein a memory location of the first memory page is an address reserved in response to creating an executable of the target program.
  - 11. The non-transitory machine-readable medium of claim 9, further comprising:
    - detecting, by the VMIM, an injection ready status of the target program that has been loaded in the VM, wherein the injection ready status is a waiting state implemented by code of the target program to allow a code injection module to inject the second code section prior to executing the first code section.
  - 12. The non-transitory machine-readable medium of claim 9, further comprising:
    - detecting, by the VMIM, a malware threat detection analysis of the target program; and
      
      selecting one of a plurality of code sections for injection in response to the respective behavior of the content specimen.
  - 13. The non-transitory machine-readable medium of claim 9, wherein the second code section is received by the VMM from a remote facility over a network after the target program has been received by a data processing system in which the VM and the VMM are executed.
  - 14. The non-transitory machine-readable medium of claim 9, wherein the first address and second address are both physical addresses, the first address being different than the second address.
  - 15. The non-transitory machine-readable medium of claim 9, wherein the second code section initiates a memory dump to capture information associated with the content specimen.
  - 16. The non-transitory machine-readable medium of claim 9, wherein the anomalous behavior is a behavior that identifies that the content specimen is suspicious.

17. A malicious content detection system, comprising:
- one or more processors; and
  
  a storage communicatively coupled to the one or more processors, the storage having stored thereon,a controller configured to load a first code section of a behavior module into a first memory page of a virtual machine (VM), the behavior module to monitor and detect whether a content specimen within the VM is malware,a code injection module configured to inject a second code section into the behavior module by changing an address at which the target program executes from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused, andthe behavior module further configured to determine the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to execution of the second code section, wherein the second code section is injected after the behavior module and the content specimen have been loaded within the VM.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The malicious content detection system of claim 17, wherein a memory location of the first memory page is an address reserved in response to creating an executable of the target program.
  - 19. The malicious content detection system of claim 17, wherein the code injection module is further configured to cause the system to:
    - detect an injection ready status of the behavior module that has been loaded in the VM, wherein the injection ready status is a waiting state implemented by the behavior module code to allow the code injection module to inject the second code section prior to executing the first code section.
  - 20. The malicious content detection system of claim 17, wherein the second code section is received by the code injection module from a remote facility over a network after the behavior module has been received by a data processing system in which the VM and the code injection module are executed.
  - 21. The malicious content detection system of claim 17, wherein the first address and second address are both physical addresses, the first address being different than the second address.
  - 22. The system malicious content detection of claim 17, wherein the second code section initiates a memory dump to capture information associated with the content specimen.
  - 23. The malicious content detection system of claim 17, wherein the anomalous behavior is a behavior that identifies that the content specimen is suspicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ha, Phung-Te, Tonkonoh, Seva, Ismael, Osman Abdoul
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Truong, Thong

Application Number

US14/042,465
Time in Patent Office

1,828 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

Page replacement code injection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

404 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Page replacement code injection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

404 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links