METHOD, COMPUTER PROGRAM AND COMPUTER FOR ANALYSING AN EXECUTABLE COMPUTER FILE
First Claim
1. A method of unpacking/decrypting an executable computer file using a host computer, the method comprising:
- partitioning the executable computer file into plural basic blocks of code;
translating at least some of the basic blocks of code into translated basic blocks of code that can be executed by the host computer;
linking at least some of the translated basic blocks of code in memory of the host computer; and
,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware.
11 Assignments
0 Petitions
Accused Products
Abstract
In one aspect, an executable computer file is partitioned into basic blocks of code. At least some basic blocks are translated into translated basic blocks. At least some translated basic blocks are linked in memory of a computer. At least some translated basic blocks on the computer are executed so as to enable the file to be unpacked or decrypted. In this way, the file can be analyzed to determine whether the file is or should be classed as malware. In another aspect, at least a read page of cache memory is created for at least some basic blocks and at least a write page of cache memory is created for at least some basic blocks. During the execution of a basic block, at least one of the read page and the write page is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block.
-
Citations
47 Claims
-
1. A method of unpacking/decrypting an executable computer file using a host computer, the method comprising:
-
partitioning the executable computer file into plural basic blocks of code; translating at least some of the basic blocks of code into translated basic blocks of code that can be executed by the host computer; linking at least some of the translated basic blocks of code in memory of the host computer; and
,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 35)
-
-
13. A method of unpacking/decrypting an executable computer file, the method comprising:
-
partitioning the executable computer file into plural basic blocks of code; creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block; and
,emulating the executable file by executing at least some of the basic blocks of code so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware; wherein during the execution of a basic block, at least one of the read page and the write page of cache memory is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block. - View Dependent Claims (14, 15, 16, 17, 36)
-
-
18. A computer program for unpacking/decrypting an executable computer file using a host computer, the computer program comprising program instructions for causing a said host computer to carry out a method of:
-
partitioning the executable computer file into plural basic blocks of code; translating at least some of the basic blocks of code into translated basic blocks of code that can be executed by the host computer; linking at least some of the translated basic blocks of code in memory of the host computer; and
,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computer program for unpacking/decrypting an executable computer file, the computer program comprising program instructions for causing a said host computer to carry out a method of:
-
partitioning the executable computer file into plural basic blocks of code; creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block; and
,emulating the executable file by executing at least some of the basic blocks of code so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware; wherein during the execution of a basic block, at least one of the read page and the write page of cache memory is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block. - View Dependent Claims (31, 32, 33, 34)
-
-
37. A method of analysing an executable computer file using a host computer, the method comprising:
-
partitioning the executable computer file into plural basic blocks of code; creating at least a read page of cache memory for at least some of the basic blocks, the read page of cache memory storing a read cached real address corresponding to a read cached virtual memory address for the respective basic block, and creating at least a write page of cache memory for at least some of the basic blocks, the write page of cache memory storing a write cached real address corresponding to a write cached virtual memory address for the respective basic block; emulating the executable file by executing the basic blocks of code, wherein, during the execution of a basic block, at least one of the read page and the write page of cache memory is checked for a cached real address corresponding to the virtual address that is being accessed for said basic block; translating those basic blocks of code that execute more than a predetermined number of times during the emulation into translated basic blocks of code that can be executed by the host computer; linking at least some of the translated basic blocks of code in memory of the host computer; and
,executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
Specification