METHOD, COMPUTER PROGRAM AND COMPUTER FOR ANALYSING AN EXECUTABLE COMPUTER FILE

US 20080040710A1
Filed: 03/30/2007
Published: 02/14/2008
Est. Priority Date: 04/05/2006
Status: Active Grant

First Claim

Patent Images

1. A method of unpacking/decrypting an executable computer file using a host computer, the method comprising:

partitioning the executable computer file into plural basic blocks of code;

translating at least some of the basic blocks of code into translated basic blocks of code that can be executed by the host computer;

linking at least some of the translated basic blocks of code in memory of the host computer; and

,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, an executable computer file is partitioned into basic blocks of code. At least some basic blocks are translated into translated basic blocks. At least some translated basic blocks are linked in memory of a computer. At least some translated basic blocks on the computer are executed so as to enable the file to be unpacked or decrypted. In this way, the file can be analyzed to determine whether the file is or should be classed as malware. In another aspect, at least a read page of cache memory is created for at least some basic blocks and at least a write page of cache memory is created for at least some basic blocks. During the execution of a basic block, at least one of the read page and the write page is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block.

Citations

47 Claims

1. A method of unpacking/decrypting an executable computer file using a host computer, the method comprising:
- partitioning the executable computer file into plural basic blocks of code;
  
  translating at least some of the basic blocks of code into translated basic blocks of code that can be executed by the host computer;
  
  linking at least some of the translated basic blocks of code in memory of the host computer; and
  
  ,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 35)
- - 2. A method according to claim 1, comprising, when a basic block of code is newly translated during the translating step, checking whether an already translated basic block of code has a jump instruction to the newly translated basic block of code and, if so, linking the newly translated basic block of code and the already translated basic block of code in memory.
  - 3. A method according to claim 1, wherein a first translated basic block is linked to a second translated basic block by updating a branch instruction of the first translated basic block to point to the second translated basic block, or by inserting an unconditional branch instruction into the first translated basic block to jump to the second translated basic block, or by removing any existing branch instructions from the first translated basic block and physically moving the second translated basic block to the memory address that follows the first translated basic block.
  - 4. A method according to claim 1, wherein the linking of the translated basic blocks of code is carried out dynamically as the blocks are translated.
  - 5. A method according to claim 1, comprising passing flow of the method to a virtual machine in the case of one or more of (i) a cache miss and (ii) a CPU exception arising during execution of said at least some of the translated basic blocks.
  - 6. A method according to claim 1, comprising emulating the executable file by executing the basic blocks of code, wherein the basic blocks of code that are translated are only those that execute more than a predetermined number of times during the emulation.
  - 7. A method according to claim 6, wherein the value for said predetermined number of times is dynamically variable during the emulation.
  - 8. A method according to claim 6, wherein the emulation is carried out in virtual memory on the host computer.
  - 9. A method according to claim 1, comprising creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block, and comprising emulating the executable file by executing the basic blocks of code, and, during the execution of a basic block, checking at least one of the read page and the write page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 10. A method according to claim 9, comprising creating at least a stack page of cache memory for at least some of the basic blocks, the stack page of cache memory storing a stack cached real address corresponding to a stack cached virtual memory address for the respective basic block, and comprising, during the execution of a basic block, checking the stack page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 11. A method according to claim 1, wherein the partitioning is carried out dynamically.
  - 12. A method according to claim 1, wherein the executable file is a Portable Executable File.
  - 35. A computer programmed to carry out a method according to claim 1.

13. A method of unpacking/decrypting an executable computer file, the method comprising:
- partitioning the executable computer file into plural basic blocks of code;
  
  creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block; and
  
  ,emulating the executable file by executing at least some of the basic blocks of code so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware;
  
  wherein during the execution of a basic block, at least one of the read page and the write page of cache memory is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block.
- View Dependent Claims (14, 15, 16, 17, 36)
- - 14. A method:
    - according to claim 13, comprising creating at least a stack page of cache memory for at least some of the basic blocks, the stack page of cache memory storing a stack cached real address corresponding to a stack cached virtual memory address for the respective basic block, and comprising, during the execution of a basic block, checking the stack page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 15. A method according to claim 13, wherein the emulation is carried out in virtual memory on the host computer.
  - 16. A method according to claim 13, wherein the partitioning is carried oat dynamically.
  - 17. A method according to claim 13, wherein the executable computer file is a Portable Executable file.
  - 36. A computer programmed to carry out a method according to claim 13.

18. A computer program for unpacking/decrypting an executable computer file using a host computer, the computer program comprising program instructions for causing a said host computer to carry out a method of:
- partitioning the executable computer file into plural basic blocks of code;
  
  translating at least some of the basic blocks of code into translated basic blocks of code that can be executed by the host computer;
  
  linking at least some of the translated basic blocks of code in memory of the host computer; and
  
  ,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. A computer program according to claim 18, wherein the computer program is arranged so that the method comprises, when a basic block of code is newly translated during the translating step, checking whether an already translated basic block of code has a jump instruction to the newly translated basic block of code and, if so, linking the newly translated basic block of code and the already translated basic block of code in memory.
  - 20. A computer program according to claim 18, wherein the computer program is arranged so that a first translated basic block is linked to a second translated basic block by updating a branch instruction of the first translated basic block to point to the second translated basic block, or by inserting an unconditional branch instruction into the first translated basic block to jump to the second translated basic block, or by removing any existing branch instructions from the first translated basic block and physically moving the second translated basic block to the memory address that follows the first translated basic block.
  - 21. A computer program according to claim 18, wherein the computer program is arranged so that the linking of the translated basic blocks of code is carried out dynamically as the blocks are translated.
  - 22. A computer program according to claim 18, wherein the computer program is arranged so that flow of the method passes to a virtual machine in the case of one or more of (i) a cache miss and (ii) a CPU exception arising during execution of said at least some of the translated basic blocks.
  - 23. A computer program according to claim 18, wherein the computer program is arranged so that the method comprises emulating the executable file by executing the basic blocks of code, wherein the basic blocks of code that are translated are only those that execute more than a predetermined number of times during the emulation.
  - 24. A computer program according to claim 23, wherein the computer program is arranged so that the value for said predetermined number of times is dynamically variable during the emulation.
  - 25. A computer program according to claim 23, wherein the computer program is arranged such that the emulation is carried out in virtual memory on the host computer.
  - 26. A computer program according to claim 18, wherein the computer program is arranged so that the method comprises creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block, and comprises emulating the executable file by executing the basic blocks of code, and, during the execution of a basic block, checking at least one of the read page and the write page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 27. A computer program according to claim 26, wherein the computer program is arranged so that the method comprises creating at least a stack page of cache memory for at least some of the basic blocks, the stack page of cache memory storing a stack cached real address corresponding to a stack cached virtual memory address for the respective basic block, and comprises, during the execution of a basic block, checking the stack page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 28. A computer program according to claim 18, wherein the computer program is arranged so that the partitioning is carried out dynamically.
  - 29. A computer program according to claim 18, wherein the computer program is arranged so that the executable computer file is a Portable Executable File.

30. A computer program for unpacking/decrypting an executable computer file, the computer program comprising program instructions for causing a said host computer to carry out a method of:
- partitioning the executable computer file into plural basic blocks of code;
  
  creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block; and
  
  ,emulating the executable file by executing at least some of the basic blocks of code so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware;
  
  wherein during the execution of a basic block, at least one of the read page and the write page of cache memory is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block.
- View Dependent Claims (31, 32, 33, 34)
- - 31. A computer program according to claim 30, wherein the computer program is arranged so that the method comprises creating at least a stack page of cache memory for at least some of the basic blocks, the stack page of cache memory storing a stack cached real address corresponding to a stack cached virtual memory address for the respective basic block, and comprises, during the execution of a basic block, checking the stack page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 32. A computer program according to claim 30, wherein the computer program is arranged so that the emulation is carried out in virtual memory on the host computer.
  - 33. A computer program according to claim 30, wherein the computer program is arranged so that the partitioning is carried out dynamically.
  - 34. A computer program according to claim 30, wherein the computer program is arranged, so that the executable computer file is a Portable Executable file.

37. A method of analysing an executable computer file using a host computer, the method comprising:
- partitioning the executable computer file into plural basic blocks of code;
  
  creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block;
  
  emulating the executable file by executing the basic blocks of code, wherein, during the execution of a basic block, at least one of the read page and the write page of cache memory is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block;
  
  translating those basic blocks of code that execute more than a predetermined number of times during the emulation into translated basic blocks of code that can be executed by the host computer;
  
  linking at least some of the translated basic blocks of code in memory of the host computer; and
  
  ,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 38. A method according to claim 37, comprising, when a basic block of code is newly translated during the translating step, checking whether an already translated basic block of code has a jump instruction to the newly translated basic block of code and, if so, linking the newly translated basic block of code and the already translated basic block of code in memory.
  - 39. A method according to claim 37, wherein a first translated basic block is linked to a second translated basic block by updating a branch instruction of the first translated basic block to point to the second translated basic block, or by inserting an unconditional branch instruction into the first translated basic block to jump to the second translated basic block, or by removing any existing branch instructions from the first translated basic block and physically moving the second translated basic block to the memory address that, follows the first translated basic block.
  - 40. A method according to claim 37, wherein the linking of the translated basic blocks of code is carried out dynamically as the blocks are translated.
  - 41. A method according to claim 37, comprising passing flow of the method to a virtual machine in the case of one or more of (i) a cache miss and (ii) a CPU exception arising during execution of said at least some of the translated basic blocks.
  - 42. A method according to claim 37, comprising creating at least a stack page of cache memory for at least some of the basic blocks, the stack page of cache memory storing a stack cached real address corresponding to a stack cached virtual memory address for the respective basic block, and comprising, during the execution of a basic block, checking the stack page of cache memory for a cached real address corresponding to the virtual address that is being accessed for said basic block.
  - 43. A method according to claim 37, wherein the value for said predetermined number of times is dynamically variable during the emulation.
  - 44. A method according to claim 37, wherein the emulation is carried out in virtual memory on the host computer.
  - 45. A method according to claim 37, wherein the partitioning is carried out dynamically.
  - 46. A method according to claim 37, wherein the executable computer file is a Portable Executable file.
  - 47. A computer programmed to carry out a method according to claim 37.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Prevx Ltd (Open Text Corporation)
Inventors
CHIRIAC, MIHAI

Granted Patent

US 8,479,174 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/136
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

METHOD, COMPUTER PROGRAM AND COMPUTER FOR ANALYSING AN EXECUTABLE COMPUTER FILE

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, COMPUTER PROGRAM AND COMPUTER FOR ANALYSING AN EXECUTABLE COMPUTER FILE

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links