Method and system for detecting obfuscatory pestware in a computer memory
First Claim
Patent Images
1. A method for scanning a computer memory for pestware, comprising:
- identifying, within an executable object in the computer memory, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and
searching for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.
9 Assignments
0 Petitions
Accused Products
Abstract
A method and system for detecting obfuscatory pestware in a computer memory is described. One illustrative embodiment identifies, within an executable object, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and searches for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.
60 Citations
19 Claims
-
1. A method for scanning a computer memory for pestware, comprising:
-
identifying, within an executable object in the computer memory, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and
searching for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure. - View Dependent Claims (2, 3, 4)
-
-
5. A method for scanning a computer memory for pestware, comprising:
-
examining an import address table (IAT) of an executable object in the computer memory to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the computer memory;
locating the at least one subroutine within the executable object; and
searching for a predetermined check value at a known offset relative to an address, in the computer memory, at which the at least one subroutine calls the API.
-
-
6. A system for detecting pestware, comprising:
a pestware detection module to detect pestware on a computer, the pestware detection module being configured to;
identify, within an executable object in a memory of the computer, a reference to a known procedure, the known procedure having a fixed address in the memory; and
search for a predetermined check value at a known offset relative to an address, in the memory, of the reference to the known procedure. - View Dependent Claims (7, 8, 9)
-
10. A system for detecting pestware, comprising:
a pestware detection module to detect pestware on a computer, the pestware detection module being configured to;
examine an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory;
locate the at least one subroutine within the executable object; and
search for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API.
-
11. A system for detecting pestware on a computer, comprising:
-
means for identifying, within an executable object in a memory of the computer, a reference to a known procedure, the known procedure having a fixed address in the memory; and
means for searching for a predetermined check value at a known offset relative to an address, in the memory, of the reference to the known procedure. - View Dependent Claims (12, 13, 14)
-
-
15. A computer-readable storage medium containing program instructions to scan for pestware on a computer, comprising:
-
a first instruction segment that identifies, within an executable object in a memory of the computer, a reference to a known procedure, the known procedure having a fixed address in the memory; and
a second instruction segment that searches for a predetermined check value at a known offset relative to an address, in the memory, of the reference to the known procedure. - View Dependent Claims (16, 17, 18)
-
-
19. A computer-readable storage medium containing program instructions to scan for pestware on a computer, comprising:
-
a first instruction segment that examines an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory;
a second instruction segment that locates the at least one subroutine within the executable object; and
a third instruction segment that searches for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API.
-
Specification