HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION
First Claim
Patent Images
1. A computer-implemented method, comprising:
- identifying a binary executable in a host computer memory, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location;
accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing a nonexported function within the binary executable; and
modifying instructions at the second memory location to route a code path to a host protection processor.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier.
11 Citations
13 Claims
-
1. A computer-implemented method, comprising:
-
identifying a binary executable in a host computer memory, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location; accessing offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location different from the first memory location, the second memory location storing a nonexported function within the binary executable; and modifying instructions at the second memory location to route a code path to a host protection processor. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
analyzing a reference file generated for a binary executable, the reference file containing a representation of instructions that are in the binary executable; identifying a unique identifier for the binary executable; locating a nonexported function in the binary executable from the analysis of the reference file; determining an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable; and generating offset data that includes the offset and the unique identifier. - View Dependent Claims (7, 8, 9)
-
-
10. A system, comprising a file analyzer configured to analyze a reference file generated for a binary executable, the reference file comprising a representation of instructions that are in the binary executable;
- locate a nonexported function in the reference file; and
determine an offset for the nonexported function, the offset being the number of bytes between the nonexported function and the beginning of the binary executable.
- locate a nonexported function in the reference file; and
-
11. A system, comprising:
-
a host computer memory configured to store data for a computer; a hook by offset engine that performs operations comprising; identifies a binary executable in the host computer memory, the binary executable being allocated memory space in the host computer memory, the memory space addressed at a first memory location; accesses offset data associated with the binary executable, the offset data identifying an offset that defines a second memory location relative to the first memory location, the second memory location storing a nonexported function within the binary executable; and modifies instructions at the second memory location to route a code path to a host protection processor. a host protection processor that performs operations comprising; determining if execution of the nonexported function results in exploitation of a vulnerability; if the execution of the nonexported function will not result in exploitation of the vulnerability, then allowing the execution of the nonexported function; and if execution of the nonexported function will result in exploitation of the vulnerability, then executing a host protection process on the vulnerability. - View Dependent Claims (12, 13)
-
Specification