System and method for scanning memory for pestware

US 20060236389A1
Filed: 04/14/2005
Published: 10/19/2006
Est. Priority Date: 04/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for scanning executable memory of a protected computer for pestware comprising:

enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;

identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and

scanning at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing multiple related pestware processes on a protected computer are described. One embodiment is configured to identify a location of each of a plurality of files in at least one file storage device of the protected computer and store a list of the location of each of the plurality of files. The list of the plurality of files is then sorted so as to generate a sorted list. Each of the plurality of files is then sequentially accessed as listed in the sorted list so as to retrieve information from each of the plurality of files. Information from the plurality of files is then analyzed to determine whether any of the plurality of files are potential pestware files. In variations, the files in the file storage device are enumerated, and information from the files is accessed, by circumventing the operating system of the protected computer.

60 Citations

View as Search Results

21 Claims

1. A method for scanning executable memory of a protected computer for pestware comprising:
- enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
  
  identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
  
  scanning at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, including:
    - enumerating a base address for the process and at least one base address for the at least one dependency;
      
      obtaining an original entry point (OEP) for the process and at least one OEP for the at least one dependency; and
      
      identifying, utilizing the at least one OEP for the at least one dependency and the at least one base address for the at least one dependency, at least one start address for the at least one dependency, wherein the at least one start address is the at least one other reference point in the executable memory.
  - 3. The method of claim 2 wherein the obtaining the at least one OEP for the at least one dependency includes parsing at least one portable execution header (PE) so as to identify the OEP.
  - 4. The method of claim 1 wherein the enumerating includes enumerating blocks of the executable memory associated with the process and the at least one dependency.
  - 5. The method of claim 1 wherein the at least one dependency includes encrypted code, wherein the at least one portion of memory is outside of memory where the at least one dependency resides so as to scan for unencrypted code spawned from the encrypted code.
  - 6. The method of claim 1 including:
    - accessing a file stored in a hard drive of the protected computer that corresponds to the process so as to retrieve information about the file; and
      
      selecting, based upon the information about the file, the offset.
  - 7. The method of claim 1, wherein the reference point in the executable memory for the process is identified as an API implementation.

8. A system for managing pestware comprising:
- a pestware detection module configured to detect pestware on a protected computer, the protected computer including at least one file storage device and executable memory, wherein the pestware detection module is configured to;
  
  enumerate a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
  
  identify a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
  
  scan at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the at least one portion of memory.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the pestware detection module is configured to:
    - enumerate a base address for the process and at least one base address for the at least one dependency;
      
      obtain an original entry point (OEP) for the process and at least one OEP for the at least one dependency; and
      
      identify, utilizing the at least one OEP for the at least one dependency and the at least one base address for the at least one dependency, at least one start address for the at least one dependency, wherein the at least one start address is the at least one other reference point in the executable memory.
  - 10. The system of claim 9 wherein pestware detection module is configured to obtain the at least one OEP for the at least one dependency by parsing at least one portable execution header (PE) so as to identify the OEP.
  - 11. The system of claim 8 wherein the pestware detection module is configured to enumerate blocks of the executable memory associated with the process and the at least one dependency.
  - 12. The system of claim 8 wherein the at least one dependency includes encrypted code, wherein the at least one portion of memory is outside of memory where the at least one dependency resides, and wherein the pestware detection module is configured to scan for unencrypted code spawned from the encrypted code.
  - 13. The system of claim 8 wherein the pestware detection module is configured to:
    - access a file stored in the file storage device of the protected computer that corresponds to the process so as to retrieve information about the file; and
      
      select, based upon the information about the file, the offset.
  - 14. The system of claim 8, wherein the reference point in the executable memory for the process is identified as an API implementation.

15. A computer readable medium encoded with instructions to scan for pestware on a protected computer, the instructions including:
- enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory;
  
  identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
  
  scanning at least one portion of memory that is located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer readable medium of claim 15, the instructions further including:
    - enumerating a base address for the process and at least one base address for the at least one dependency;
      
      obtaining an original entry point (OEP) for the process and at least one OEP for the at least one dependency; and
      
      identifying, utilizing the at least one OEP for the at least one dependency and the at least one base address for the at least one dependency, at least one start address for the at least one dependency, wherein the at least one start address is the at least one other reference point in the executable memory.
  - 17. The computer readable medium of claim 16 wherein the instructions for obtaining the at least one OEP for the at least one dependency include instructions for parsing at least one portable execution header (PE) so as to identify the OEP.
  - 18. The computer readable medium of claim 15 wherein the enumerating includes enumerating blocks of the executable memory associated with the process and the at least one dependency.
  - 19. The computer readable medium of claim 15 wherein the at least one dependency includes encrypted code, wherein the at least one portion of memory is outside of memory, and wherein the instructions include instructions for scanning for unencrypted code outside of memory where the at least one dependency resides.
  - 20. The computer readable medium of claim 15, the instructions including:
    - accessing a file stored in a hard drive of the protected computer that corresponds to the process so as to retrieve information about the file; and
      
      selecting, based upon the information about the file, the offset.
  - 21. The computer readable medium of claim 15, wherein the reference point in the executable memory for the process is identified as an API implementation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Horne, Jefferson Delk

Granted Patent

US 7,571,476 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/562 Static detection

G06F 21/57 Certifying or maintaining t...

System and method for scanning memory for pestware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for scanning memory for pestware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links