Methods and system for hiding transition events for malware detection
First Claim
1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
- processing of an object within a virtual machine;
intercepting an attempted execution of an instruction by the object, the instruction located on a page in memory associated with the virtual machine;
responsive to determining the page includes instructions corresponding to one of a set of function calls, (i) inserting a first transition event into the memory associated with the virtual machine at a location of a first instruction of the instructions corresponding to a function call of the set of function calls wherein the location is on the page in the memory, and (ii) setting a permission of the page to be execute only; and
responsive to further processing within the virtual machine causing an attempt to read from or write to the page including the first transition event, (i) halting at least a portion of the processing within the virtual machine, (ii) performing an analysis of at least one last branch record (LBR) of a virtual central processing unit (CPU) of the virtual machine, and (iii) based on the analysis of the at least one LBR, determining whether the processing displays characteristics of a return-oriented programming (ROP) attack.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for hiding transition events during malware detection comprising processing of an object within a VM, intercepting an attempted execution of an instruction located on a page in memory associated with the VM, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a location on the page of a first instruction of the instructions, and (ii) setting a permission of the page to be execute only, and responsive to further processing within the VM causing an attempt to read from or write to the page including the first transition event, (i) halting processing within the VM, (ii) removing the first transition event, (iii) setting the permission of the page to prohibit execution, and (iv) resuming the processing is shown.
595 Citations
25 Claims
-
1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
-
processing of an object within a virtual machine; intercepting an attempted execution of an instruction by the object, the instruction located on a page in memory associated with the virtual machine; responsive to determining the page includes instructions corresponding to one of a set of function calls, (i) inserting a first transition event into the memory associated with the virtual machine at a location of a first instruction of the instructions corresponding to a function call of the set of function calls wherein the location is on the page in the memory, and (ii) setting a permission of the page to be execute only; and responsive to further processing within the virtual machine causing an attempt to read from or write to the page including the first transition event, (i) halting at least a portion of the processing within the virtual machine, (ii) performing an analysis of at least one last branch record (LBR) of a virtual central processing unit (CPU) of the virtual machine, and (iii) based on the analysis of the at least one LBR, determining whether the processing displays characteristics of a return-oriented programming (ROP) attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An electronic device comprising:
-
one or more processors; a storage device including a non-transitory computer-readable medium for storing logic, the logic being executable by the one or more processors to perform operations including; processing of an object within a virtual machine; intercepting an attempted execution of an instruction by the object, the instruction located on a page in memory associated with the virtual machine; responsive to determining the page includes instructions corresponding to one of a set of function calls, (i) inserting a first transition event into the memory associated with the virtual machine at a location of a first instruction of the instructions corresponding to a function call of the set of function calls, wherein the location is on the page in the memory, and (ii) setting a permission of the page to be execute only; and responsive to further processing within the virtual machine causing an attempt to read from or write to the page including the first transition event, (i) halting at least a portion of the processing within the virtual machine, (ii) performing an analysis of at least one last branch record (LBR) of a virtual central processing unit (CPU) of the virtual machine, and (iii) based on the analysis of the at least one LBR, determining whether the processing displays characteristics of a return-oriented programming (ROP) attack. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for hiding transition events during malware detection comprising:
-
processing of an object within a virtual machine; intercepting an attempted execution of an instruction by the object, the instruction located on a page in memory associated with the virtual machine; responsive to determining the page includes instructions corresponding to one of a set of function calls, (i) inserting a first transition event into the memory associated with the virtual machine at a location of a first instruction of the instructions corresponding to a function call of the set of function calls, wherein the location is on the page in the memory, and (ii) setting a permission of the page to be execute only; and responsive to further processing within the virtual machine causing an attempt to read from or write to the page including the first transition event, (i) halting at least a portion of the processing within the virtual machine, (ii) performing an analysis of at least one last branch record (LBR) of a virtual central processing unit (CPU) of the virtual machine, and (iii) based on the analysis of the at least one LBR, determining whether the processing displays characteristics of a return-oriented programming (ROP) attack. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for hiding transition events during malware detection comprising:
-
processing an object within a virtual machine managed by a virtual machine monitor; managing, by the virtual machine monitor, insertion of a transition event at a location of an instruction located on a page in memory utilized by the virtual machine; managing, by the virtual machine monitor, permissions of the page in memory according to the insertion of a breakpoint or a removal of the breakpoint in the instruction; responsive to further processing within the virtual machine causing an attempt to read from or write to the page including the transition event, (i) halting at least a portion of the processing within the virtual machine, (ii) responsive to further processing within the virtual machine causing an attempt to read from or write to the page including the first transition event, (i) halting at least a portion of the processing within the virtual machine, (ii) performing an analysis of at least one last branch record (LBR) of a virtual central processing unit (CPU) of the virtual machine, and (iii) based on the analysis of the at least one LBR, determining whether the processing displays characteristics of a return-oriented programming (ROP) attack.
-
Specification