Detecting computer programs within packed computer files
First Claim
1. A computer program product comprising a computer program operable to control a computer to detect a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said computer program comprising:
- resource data reading logic operable to read resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
resource data comparing logic operable to compare said resource data with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program.
11 Assignments
0 Petitions
Accused Products
Abstract
A technique for detecting Trojans and worms within packed computer files uses fingerprint data derived from the unpacked resource data associated with the packed computer files. The number of entries, the position within the resource data and size of the resource that is the largest resource specified, a timestamp value of compilation and a checksum value derived from the whole of the resource data may be included within a fingerprint value as characteristic of a particular set of resource data. A library of such fingerprint values may be generated for known Trojans and worms, or other programs it is wished to detect, and then a suspect file compared against this library of fingerprints.
-
Citations
96 Claims
-
1. A computer program product comprising a computer program operable to control a computer to detect a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said computer program comprising:
-
resource data reading logic operable to read resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
resource data comparing logic operable to compare said resource data with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product comprising a computer program operable to control a computer to generate data for detecting a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said computer program comprising:
-
resource data reading logic operable to read resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
characteristic data generating logic operable to generate characteristic data associated with said resource data for comparison with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method of controlling a computer to detect a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said method comprising the steps of:
-
reading resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
comparing said resource data with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A method of controlling a computer to generate data for detecting a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said method comprising the steps of:
-
reading resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
generating characteristic data associated with said resource data for comparison with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
65. Apparatus for detecting a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said apparatus comprising:
-
a resource data reader operable to read resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
a resource data comparitor operable to compare said resource data with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program. - View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
-
-
81. Apparatus for generating data for detecting a known computer program within a packed computer file, said packed computer file being unpacked upon execution, said apparatus comprising:
-
a resource data reader operable to read resource data within said packed computer file, said resource data specifying program resource items used by said known computer program and being readable by a computer operating system without dependence upon which unpacking algorithm is used by said packed computer file; and
a characteristic data generator operable to generate characteristic data associated with said resource data for comparison with characteristics of resource data of said known computer program to detect a match with said known computer program indicative of said packed computer file containing said known computer program. - View Dependent Claims (82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96)
-
Specification