METHOD, SYSTEM AND PROGRAM PRODUCT FOR OPTIMIZING EMULATION OF A SUSPECTED MALWARE
First Claim
1. A method for optimizing emulation of a suspected malware, said method comprising the steps of:
- identifying, using a tool configured to optimize emulation, whether a current instruction in a suspected malware being emulated in a virtual environment signifies a long loop;
if said current instruction identified signifies said long loop, generating a first output value for said long loop;
ascertaining whether said first output value generated matches a respective first output value corresponding to one or more established long loop entries stored in a storage;
if said one or more established long loop entries having said respective first output value matching said first output value generated are ascertained, calculating a second output value for said long loop;
inspecting said one or more established long loop entries ascertained to find an established long loop entry of said one or more established long loop entries ascertained having a respective second output value matching said second output value calculated; and
if said entry matching said second output value calculated is found in said inspecting step, updating one or more states of an emulation engine emulating said suspected malware in said virtual environment, wherein said updating step results in skipping execution of said long loop of said suspected malware for optimizing emulation of said suspected malware in said virtual environment.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware.
47 Citations
20 Claims
-
1. A method for optimizing emulation of a suspected malware, said method comprising the steps of:
-
identifying, using a tool configured to optimize emulation, whether a current instruction in a suspected malware being emulated in a virtual environment signifies a long loop; if said current instruction identified signifies said long loop, generating a first output value for said long loop; ascertaining whether said first output value generated matches a respective first output value corresponding to one or more established long loop entries stored in a storage; if said one or more established long loop entries having said respective first output value matching said first output value generated are ascertained, calculating a second output value for said long loop; inspecting said one or more established long loop entries ascertained to find an established long loop entry of said one or more established long loop entries ascertained having a respective second output value matching said second output value calculated; and if said entry matching said second output value calculated is found in said inspecting step, updating one or more states of an emulation engine emulating said suspected malware in said virtual environment, wherein said updating step results in skipping execution of said long loop of said suspected malware for optimizing emulation of said suspected malware in said virtual environment. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for optimizing emulation of a program suspected of being malware, said system comprising:
-
a host environment comprising a central processing unit (CPU), a storage device, a memory module having installed thereon code configured to optimize emulation of a program suspected of being malware; a guest environment running on said host environment, said guest environment comprising an anti-virus emulation engine running within said memory of said host environment, said anti-virus emulation engine being configured to emulate said program suspected of being malware within said guest environment, said anti-virus emulation engine further comprising; an emulation kernel configured to control one or more components of said guest environment and configured to communicate with said host environment; a virtual CPU configured to emulate instructions contained within said program suspected of being malware; and a virtual memory configured to store said program suspected of being malware;
wherein said code is further configured to detect one or more long loops in said program suspected of being malware and to update states in said anti-virus emulation engine corresponding to said one or more long loops detected, wherein execution of said one or more long loops in said program suspected of being malware is skipped by said anti-virus emulation engine. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for optimizing emulation of a suspected malware, said computer program product comprising:
-
a computer readable medium; first program instructions to identify whether a current instruction in a suspected malware being emulated in a virtual environment signifies a long loop based on whether a pre-specified condition is met, said first program instructions including instructions to generate, if said current instruction identified signifies said long loop, a first hash value for said long loop; second program instructions to ascertain whether said first hash value generated matches a respective first hash value corresponding to one or more established long loop entries stored in a storage, said second program instructions including instructions to calculate a second hash value for said long loop, if said one or more established long loop entries having said respective first hash value matches said first hash value generated, third program instructions to inspect said one or more established long loop entries ascertained to find an established long loop entry of said one or more established long loop entries ascertained having a respective second hash value matching said second hash value calculated, said third program instructions including instructions to execute, if said entry matching said second hash value calculated is found, a routine contained within said established long loop entry found, wherein execution of said long loop of said suspected malware is skipped for optimizing emulation of said suspected malware in said virtual environment. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification