MALWARE INVESTIGATION BY ANALYZING COMPUTER MEMORY
First Claim
1. A method for malware investigation by analyzing computer memory of a computing device, comprising:
- performing static analysis on code for a software environment to form an extended type graph;
obtaining a raw memory snapshot of the computer memory at runtime, the raw memory snapshot including the software environment executing on the computing device;
finding dynamic data structures in the raw memory snapshot using the extended type graph to form an object graph;
defining an authorized memory area having executable code, static data structures, and dynamic data structures; and
checking function pointers to validate that the function pointers reference a valid memory location in the authorized memory area to validate whether the computer memory is uncompromised.
3 Assignments
0 Petitions
Accused Products
Abstract
Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised.
-
Citations
20 Claims
-
1. A method for malware investigation by analyzing computer memory of a computing device, comprising:
-
performing static analysis on code for a software environment to form an extended type graph; obtaining a raw memory snapshot of the computer memory at runtime, the raw memory snapshot including the software environment executing on the computing device; finding dynamic data structures in the raw memory snapshot using the extended type graph to form an object graph; defining an authorized memory area having executable code, static data structures, and dynamic data structures; and checking function pointers to validate that the function pointers reference a valid memory location in the authorized memory area to validate whether the computer memory is uncompromised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for malware investigation by analyzing computer memory, comprising:
-
a static analysis module configured to perform a static analysis on source code for an operating system kernel to form an extended type graph; a memory snapshot module configured to obtain a raw memory snapshot of computer memory at runtime containing the operating system kernel executing on a computing device; a memory analysis module configured to find dynamic data structures in the raw memory snapshot using the extended type graph and to define an authorized memory area having executable code, static data structures, and dynamic data structures; wherein function pointers are identified in the authorized memory area using the memory analysis module; and a kernel integrity checking module configured to check the function pointers to validate that function pointers reference a valid memory location in the authorized memory area so as to validate whether the computer memory on the computing device is uncompromised. - View Dependent Claims (10, 12, 13, 14, 15)
-
-
11. The system as in 9, wherein the extended type graph comprises:
- nodes representing data types defined in the operating system kernel, edges representing pointers between linked data types, and nodes representing dynamic data structures.
-
16. A method for detection of compromised computer memory, comprising:
-
performing static analysis on source code for an operating system kernel to form an extended type graph; obtaining a raw memory snapshot of computer memory at runtime containing the operating system kernel on a computing device; finding dynamic data structures in the raw memory snapshot by traversing the extended type graph to form an object graph; forming an authorized memory area, using the object graph, the authorized memory area having executable code, static data structures and dynamic data structures; identifying function pointers that include implicit and explicit function pointers in the authorized memory area; and checking the function pointers in the authorized memory area to validate that the function pointers reference a valid memory location in the authorized memory area in order to validate that computer memory on the computing device is uncompromised by malware. - View Dependent Claims (17, 18, 19, 20)
-
Specification