Page replacement code injection
First Claim
Patent Images
1. A computer-implemented method for behavior monitoring, comprising:
- loading, by a virtual machine monitor (VMM), a first code section of a target program into a first memory page allocated to a virtual machine (VM);
injecting, by the VMM, a second code section into the target program by changing an address at which the target program executes from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of Instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused; and
determining the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to execution of the injected second code section, wherein the second code section is injected after the target program and the content specimen have been loaded within the VM.
5 Assignments
0 Petitions
Accused Products
Abstract
Techniques for malicious content detection using code injection are described herein. In one embodiment a first code section of a target program is loaded into a first memory page of a virtual machine (VM) hosted by a virtual machine monitor (VMM). The target program to receive code injection. The VMM injects a second code section into the target program by replacing the first code section with a second code section loaded in a second memory page. Determining a behavior of a content specimen using the injected second code section instead of the first code section, and the second code section is injected after the target program.
404 Citations
23 Claims
-
1. A computer-implemented method for behavior monitoring, comprising:
-
loading, by a virtual machine monitor (VMM), a first code section of a target program into a first memory page allocated to a virtual machine (VM); injecting, by the VMM, a second code section into the target program by changing an address at which the target program executes from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of Instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused; and determining the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to execution of the injected second code section, wherein the second code section is injected after the target program and the content specimen have been loaded within the VM. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory machine-readable medium storing instructions, which when executed by a processor, cause the processor to perform a method for behavior monitoring, the method comprising:
-
loading a first code section of a target program into a first memory page of a virtual machine (VM) hosted by a virtual machine monitor (VMM); injecting, by the VMM, a second code section into the target program by changing an address at which the target program executes the target program from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused; and determining the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to the injected second code section instead of the first code section, wherein the second code section is injected after the target program and the content specimen have been loaded within the VM. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A malicious content detection system, comprising:
-
one or more processors; and a storage communicatively coupled to the one or more processors, the storage having stored thereon, a controller configured to load a first code section of a behavior module into a first memory page of a virtual machine (VM), the behavior module to monitor and detect whether a content specimen within the VM is malware, a code injection module configured to inject a second code section into the behavior module by changing an address at which the target program executes from a first address to a second address, the first address being a location of the first code section and the second address being a location of the second code section, wherein the second code section includes a plurality of instructions directed toward detecting a first type of malware, wherein the second code section is injected via execution of an injection thread while one or more threads processing a content specimen are paused, and the behavior module further configured to determine the content specimen is suspicious when an anomalous behavior of the content specimen is detected according to execution of the second code section, wherein the second code section is injected after the behavior module and the content specimen have been loaded within the VM. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification