SYSTEM AND METHOD FOR LOADING AND ANALYZING FILES

US 20080028462A1
Filed: 07/26/2006
Published: 01/31/2008
Est. Priority Date: 07/26/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for analyzing executable files on a computer comprising:

initiating, with an operating system of the computer, execution of a loader-process;

limiting rights of the loader-process so as to restrict the loader-process from particular calls to the operating system;

loading, using the loader-process, code of a first executable file into an address space of the loader-process;

analyzing the code of the first executable file to assess whether the first executable file is a pestware file;

clearing, while maintaining the loader-process in memory, memory utilized by the first executable file;

loading, using the loader process, code of a second executable file into an executable-memory of the computer; and

analyzing the code of the second executable file to assess whether the second executable file is a pestware file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for analyzing files on a computer is described. In one embodiment the system includes a loader module configured to sequentially receive code from a plurality of files stored on a computer-readable medium and initiate execution of the code in a process space of the loader module. In addition, the loader module is configured to stop execution of the code in response to the code attempting to carry out particular instructions while executing. The system also includes a detection module configured to analyze the code from each of the plurality of files after the code is loaded by the loader module.

65 Citations

View as Search Results

20 Claims

1. A method for analyzing executable files on a computer comprising:
- initiating, with an operating system of the computer, execution of a loader-process;
  
  limiting rights of the loader-process so as to restrict the loader-process from particular calls to the operating system;
  
  loading, using the loader-process, code of a first executable file into an address space of the loader-process;
  
  analyzing the code of the first executable file to assess whether the first executable file is a pestware file;
  
  clearing, while maintaining the loader-process in memory, memory utilized by the first executable file;
  
  loading, using the loader process, code of a second executable file into an executable-memory of the computer; and
  
  analyzing the code of the second executable file to assess whether the second executable file is a pestware file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 13)
- - 2. The method of claim 1, including:
    - enumerating dynamic link libraries (DLLS) that have been loaded by the operating system for the loader-process; and
      
      altering an export address table of at least one of the dynamic link libraries (DLLS) so that the export address table no longer points to a system function.
  - 3. The method of claim 2, wherein the altering includes altering the export address table so the export address table points to code that stops execution of the first executable file.
  - 4. The method of claim 1, includingaltering selected functions so the first executable file is unable to access code of the selected functions.
  - 5. The method of claim 4, wherein the functions are selected from the group consisting of CreateFile, CreateProcess and OpenRegistry.
  - 6. The method of claim 4, wherein the altering includes placing a jump instruction in the functions that points to code of the loader-process so as to prevent the second executable file from accessing the functions.
  - 7. The method of claim 1, includingimplementing a detour function that enables the loader-process to make an API call to load the first executable file.
  - 8. The method of claim 1, wherein the analyzing includes analyzing portions of the code at offsets from a reference point.
  - 9. The method of claim 1, wherein loading code of the second executable file includes:
    - loading an unpacker designed to unpack packed code; and
      
      unpacking the packed code with the unpacker so as to generate unpacked code, the code of the second executable file including the unpacked code.
  - 10. The method of claim 1 including:
    - generating a detour function, the detour function pointing to an API call of the operating system;
      
      wherein loading includes utilizing the detour function to load the first and second executable files.
  - 13. The system of claim 1, wherein the loader module is configured to analyze a header of each of the plurality of files so as to map the code from the plurality of files into a memory.

11. A system for analyzing executable files on a computer comprising:
- a loader module configured to sequentially receive code from a plurality of files stored on a computer-readable medium and initiate execution of the code in a process space of the loader module, and wherein the loader module is configured to stop execution of the code in response to the code attempting to carry out particular instructions while executing; and
  
  a detection module configured to analyze the code from each of the plurality of files after the code is loaded by the loader module.
- View Dependent Claims (12, 14, 15, 16)
- - 12. The system of claim 11, wherein the loader module is configured initiate the execution of code by loading an unpacker, wherein the unpacker is configured to unpack packed code to generate executable code.
  - 14. The system of claim 11, wherein the loader module is configured to fill in an import address table of each of the plurality of files.
  - 15. The system of claim 11, wherein at least one of an export address table of a dynamic link library (DLL) associated with the loader module and an exported function associated with the DLL are patched so as to direct any calls from the code back to the loader module.
  - 16. The system of claim 15, wherein the loader module is configured to assess a memory allocation call from the code, and if the call is safe, direct the call to the operating system.

17. A processor-readable medium including instructions for analyzing executable files on a computer, the instructions including instructions for:
- initiating, with an operating system of the computer, execution of a loader-process;
  
  loading, using the loader-process, code of first executable file into an address space of the loader-process;
  
  analyzing the code of the first executable file to assess whether the first executable file is a pestware file;
  
  clearing, while maintaining the loader-process in memory, memory utilized by the first executable file;
  
  loading, using the loader process, code of a second executable file into an executable-memory of the computer; and
  
  analyzing the code of the second executable file to assess whether the second executable file is a pestware file.
- View Dependent Claims (18, 19, 20)
- - 18. The processor-readable medium of claim 17, including instructions for:
    - enumerating dynamic link libraries (DLLS) that have been loaded by the operating system for the loader-process; and
      
      altering an export address table of at least one of the dynamic link libraries (DLLS) so that the export address table no longer points to a system function.
  - 19. The processor-readable medium of claim 18, wherein the instructions for altering include instructions for altering the export address table so the export address table points to code that stops execution of the first executable file.
  - 20. The processor-readable medium claim 17 including instructions for altering selected functions so the first executable file is unable to access code of the selected functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Burtscher, Michael

Application Number

US11/460,074
Publication Number

US 20080028462A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

SYSTEM AND METHOD FOR LOADING AND ANALYZING FILES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR LOADING AND ANALYZING FILES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links