Analytical virtual machine
First Claim
1. A virtual machine system for computer code behavior analysis of a target program, the virtual machine system operating within a host real computer system having a software processor comprising:
- a behavior record storing behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within the virtual machine system;
a sequencer that stores a sequence in which behavior flags are set and reset in the behavior record during virtual execution of the computer code of the target program under analysis; and
simulated memory automatically configured with a map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program; and
a simulated operating system representative of a host real computer system, the simulated operating system comprising one or more layered operating system shells that correspond with the memory map so that the virtual machine system is capable of executing DOS target programs, the computer code of the target program under analysis interacting with the simulated memory and the simulated operating system to generate the behavior flags, wherein the virtual machine system passes data representative of the behavior record to the host real computer system prior to termination of the virtual machine system.
3 Assignments
0 Petitions
Accused Products
Abstract
An analytical virtual machine (AVM) analyzes computer code using a software processor including a register that stores behavior flags indicative of behaviors identified by virtually executing the code within the virtual machine. The AVM includes a sequencer that stores the sequence in which behavior flags are set in the behavior flags register. The AVM analyzes machine performance by emulating execution of the code being analyzed on a fully virtual machine and records the observed behavior. When emulation and analysis are complete, the AVM returns the behavior flags register and sequencer to the real machine and terminates.
-
Citations
20 Claims
-
1. A virtual machine system for computer code behavior analysis of a target program, the virtual machine system operating within a host real computer system having a software processor comprising:
-
a behavior record storing behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within the virtual machine system;
a sequencer that stores a sequence in which behavior flags are set and reset in the behavior record during virtual execution of the computer code of the target program under analysis; and
simulated memory automatically configured with a map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program; and
a simulated operating system representative of a host real computer system, the simulated operating system comprising one or more layered operating system shells that correspond with the memory map so that the virtual machine system is capable of executing DOS target programs, the computer code of the target program under analysis interacting with the simulated memory and the simulated operating system to generate the behavior flags, wherein the virtual machine system passes data representative of the behavior record to the host real computer system prior to termination of the virtual machine system. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
2. A virtual machine system for computer code behavior analysis of a target program, the virtual machine system having a software processor, comprising:
-
a register or structure that stores behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within the virtual machine system;
a register or structure that stores a sequence in which behavior flags are set and reset in the behavior flags register or structure during virtual execution of the computer code of the target program under analysis;
an entry point table that stores all entry points to the computer code of the target program under analysis within the virtual machine system;
a structure that stores interrupt vector addresses, pointing at interrupt service routines loaded into memory reserved by the virtual machine system when the virtual machine system is initialized;
a memory structure simulating input and output ports;
a memory structure simulating processor memory automatically configured with a map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program;
one or more layered operating system simulation shells that simulate values returned by a real operating system under which the computer code of the target program under analysis is intended to operate, the one or more layered operating system shells corresponding with the memory map so that the virtual machine system is capable of executing DOS target programs. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
-
-
16. A computerized method for identifying malicious code in a target program
running in a virtual machine of a computer system, the method comprising: -
automatically configuring a memory map of the virtual machine by assigning areas of the memory map to receive predetermined types of data from the target program based on a file format in order to execute the target program;
constructing the virtual machine from one or more layered operating system shells that correspond with the memory map so that the virtual machine is capable of executing DOS target programs;
setting and resetting behavior flags in a register in order to track behavior of the target program in response to simulated values during execution of the target program by the virtual machine; and
storing a sequence in which the behavior flags are set and reset in the register by the target program during execution of the target program by the virtual machine. - View Dependent Claims (17, 18, 19, 20)
-
Specification