MALWARE INVESTIGATION BY ANALYZING COMPUTER MEMORY

US 20110265182A1
Filed: 04/27/2010
Published: 10/27/2011
Est. Priority Date: 04/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method for malware investigation by analyzing computer memory of a computing device, comprising:

performing static analysis on code for a software environment to form an extended type graph;

obtaining a raw memory snapshot of the computer memory at runtime, the raw memory snapshot including the software environment executing on the computing device;

finding dynamic data structures in the raw memory snapshot using the extended type graph to form an object graph;

defining an authorized memory area having executable code, static data structures, and dynamic data structures; and

checking function pointers to validate that the function pointers reference a valid memory location in the authorized memory area to validate whether the computer memory is uncompromised.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised.

Citations

20 Claims

1. A method for malware investigation by analyzing computer memory of a computing device, comprising:
- performing static analysis on code for a software environment to form an extended type graph;
  
  obtaining a raw memory snapshot of the computer memory at runtime, the raw memory snapshot including the software environment executing on the computing device;
  
  finding dynamic data structures in the raw memory snapshot using the extended type graph to form an object graph;
  
  defining an authorized memory area having executable code, static data structures, and dynamic data structures; and
  
  checking function pointers to validate that the function pointers reference a valid memory location in the authorized memory area to validate whether the computer memory is uncompromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as in claim 1, wherein the software environment comprises an operating system and support structure including device drivers.
  - 3. A method as in claim 1, wherein generating the extended type graph from the static analysis, further comprises:
    - adding nodes having data types defined in the software environment; and
      
      adding edges that represent pointers between linked data types.
  - 4. A method as in claim 1, further comprising generating an object graph by adding additional nodes to the extended type graph representing dynamic data structures.
  - 5. A method as in claim 1, further comprising:
    - identifying kernel loading paths that enable code to be executed on the computer memory without using function pointers; and
      
      checking to see whether malicious code is trying to execute using the identified kernel loading paths.
  - 6. A method as in claim 4, further comprising ascertaining whether a computer system has been compromised by being exposed to an uncontrolled computing environment by checking for compromised function pointers and compromised loading paths.
  - 7. A method as in claim 1, further comprising obtaining the raw memory snapshot from a computing device that is a virtual machine.
  - 8. A method as in claim 1, further comprising finding all the dynamic data structures by starting with the static data structures in the extended type graph and traversing pointers in the extended type graph until the dynamic data structures are reached.

9. A system for malware investigation by analyzing computer memory, comprising:
- a static analysis module configured to perform a static analysis on source code for an operating system kernel to form an extended type graph;
  
  a memory snapshot module configured to obtain a raw memory snapshot of computer memory at runtime containing the operating system kernel executing on a computing device;
  
  a memory analysis module configured to find dynamic data structures in the raw memory snapshot using the extended type graph and to define an authorized memory area having executable code, static data structures, and dynamic data structures;
  
  wherein function pointers are identified in the authorized memory area using the memory analysis module; and
  
  a kernel integrity checking module configured to check the function pointers to validate that function pointers reference a valid memory location in the authorized memory area so as to validate whether the computer memory on the computing device is uncompromised.
- View Dependent Claims (10, 12, 13, 14, 15)
- - 10. The system as in claim 9, wherein an object graph is created from the static data structures, dynamic data structures, and function pointers at runtime.
  - 12. The system as in claim 9, wherein function pointers in memory that point to a location outside of a valid memory block are identified as a compromised memory pointer.
  - 13. The system as in claim 9, wherein the memory snapshot module is configured to obtain the raw memory snapshot from a virtual machine on a computing device.
  - 14. The system as in claim 9, wherein the operating system kernel comprises a support structure having device drivers, application program interfaces, virtual device drivers, and direct hardware interfaces.
  - 15. A system as in claim 9, further comprising identifying implicit function pointers and explicit function pointers by identifying a memory field that is used as a function pointer but the memory field is not declared as a function pointer and identifying function pointers defined in a union data structure.

11. The system as in 9, wherein the extended type graph comprises:
- nodes representing data types defined in the operating system kernel, edges representing pointers between linked data types, and nodes representing dynamic data structures.

16. A method for detection of compromised computer memory, comprising:
- performing static analysis on source code for an operating system kernel to form an extended type graph;
  
  obtaining a raw memory snapshot of computer memory at runtime containing the operating system kernel on a computing device;
  
  finding dynamic data structures in the raw memory snapshot by traversing the extended type graph to form an object graph;
  
  forming an authorized memory area, using the object graph, the authorized memory area having executable code, static data structures and dynamic data structures;
  
  identifying function pointers that include implicit and explicit function pointers in the authorized memory area; and
  
  checking the function pointers in the authorized memory area to validate that the function pointers reference a valid memory location in the authorized memory area in order to validate that computer memory on the computing device is uncompromised by malware.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A method as in claim 16, further comprising:
    - generating a points-to graph with nodes representing program pointers and edges representing connections between program pointers;
      
      inferring candidate target types for generic pointers; and
      
      producing an extended type graph from the points-to graph and the generic pointers with candidate target types.
  - 18. A method as in claim 16, further comprising finding hidden objects in the operating system kernel by comparing objects found in the object graph with the list of objects in a kernel object viewer to identify hidden objects unknown to the kernel object viewer.
  - 19. A method as in claim 18, further comprising marking hidden objects found as malware objects.
  - 20. A method as in claim 16, further comprising identifying implicit function pointers and explicit function pointers by identifying a memory field that is used as a function pointer but the memory field is not declared as a function pointer and identifying function pointers defined in a union data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Peinado, Marcus, Cui, Weidong

Granted Patent

US 8,566,944 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/566 Dynamic detection, i.e. det...

MALWARE INVESTIGATION BY ANALYZING COMPUTER MEMORY

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE INVESTIGATION BY ANALYZING COMPUTER MEMORY

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links