System and method for scanning memory for pestware offset signatures
First Claim
1. A method for scanning executable memory of a protected computer for pestware comprising:
- identifying at least one reference point in the executable memory of the protected computer, wherein the at least one reference point is associated with a process running in the memory of the protected computer, wherein the process is potentially a particular type of pestware;
selecting, as a function of the particular type of pestware, a first offset and a second offset;
accessing the memory at the first offset from the at least one reference point so as to identify a first set of information in the executable memory that begins at the first offset from the at least one reference point;
accessing the memory at the second offset from the at least one reference point so as to identify a second set of information in the executable memory that begins at the second offset from the at least one reference point; and
wherein the first and second sets of information are separated in the executable memory by information not included in the first and second sets of information, and wherein the process is identifiable as the particular type of pestware when the first and second sets of information each include information associated with the particular type of pestware.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process.
63 Citations
19 Claims
-
1. A method for scanning executable memory of a protected computer for pestware comprising:
-
identifying at least one reference point in the executable memory of the protected computer, wherein the at least one reference point is associated with a process running in the memory of the protected computer, wherein the process is potentially a particular type of pestware;
selecting, as a function of the particular type of pestware, a first offset and a second offset;
accessing the memory at the first offset from the at least one reference point so as to identify a first set of information in the executable memory that begins at the first offset from the at least one reference point;
accessing the memory at the second offset from the at least one reference point so as to identify a second set of information in the executable memory that begins at the second offset from the at least one reference point; and
wherein the first and second sets of information are separated in the executable memory by information not included in the first and second sets of information, and wherein the process is identifiable as the particular type of pestware when the first and second sets of information each include information associated with the particular type of pestware. - View Dependent Claims (2, 3, 4)
-
-
5. A method for scanning executable memory of a protected system for pestware comprising:
-
locating a reference point in the executable memory that is associated with a process running in the executable memory;
retrieving a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset, and wherein each of the first and second portions of the executable memory are offset from the reference point; and
identifying the process as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A system for managing pestware comprising:
-
a pestware removal module configured to remove pestware on a protected computer, the protected computer including at least one file storage device and an executable memory; and
a pestware detection module configured to;
locate a reference point in the executable memory that is associated with a process running in the executable memory;
retrieve a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset, and wherein each of the first and second portions of the executable memory are offset from the reference point; and
identify the process as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer readable medium encoded with instructions for scanning executable memory on a protected computer for pestware, the instructions including instructions for:
-
locating a reference point in the executable memory that is associated with a process running in the executable memory;
retrieving a first set of information from a first portion of the executable memory and a second set of information from a second portion of the executable memory, wherein the first and second portions of the executable memory are separated by a defined offset, and wherein each of the first and second portions of the executable memory are offset from the reference point; and
identifying the process as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. - View Dependent Claims (16, 17, 18, 19)
-
Specification