SYSTEM AND METHOD FOR THE PROGRAMMATIC RUNTIME DE-OBFUSCATION OF OBFUSCATED SOFTWARE UTILIZING VIRTUAL MACHINE INTROSPECTION AND MANIPULATION OF VIRTUAL MACHINE GUEST MEMORY PERMISSIONS

US 20140189882A1
Filed: 05/13/2013
Published: 07/03/2014
Est. Priority Date: 12/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method to de-obfuscate obfuscated malicious software code in a virtual machine, the method comprising the steps of:

enumerating a first physical page associated with a virtual address space of a first piece of analyzed software code;

setting the first physical page to non writable; and

detecting a write to the first physical page.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method operable to programmatically perform runtime de-obfuscation of obfuscated software via virtual machine introspection and manipulation of virtual machine guest memory permissions.

Citations

18 Claims

1. A method to de-obfuscate obfuscated malicious software code in a virtual machine, the method comprising the steps of:
- enumerating a first physical page associated with a virtual address space of a first piece of analyzed software code;
  
  setting the first physical page to non writable; and
  
  detecting a write to the first physical page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, further comprising the step of:
    - saving the written to memory address of the first physical page.
  - 3. The method of claim 1, further comprising the step of:
    - changing the permission of the first physical page to not executable if the write is from the first piece of analyzed software code.
  - 4. The method of claim 3, further comprising the steps of:
    - executing an instruction associated with the first physical page; and
      
      updating a status of the first physical page.
  - 5. The method of claim 4, further comprising the step of:
    - storing the contents of the first physical page for review.
  - 6. The method of claim 1, further comprising the step of:
    - traversing a page table for the enumerating of the first physical page.
  - 7. The method of claim 1, further comprising the step of:
    - enumerating a second physical page following at least one of (i) a change in virtual address space allocation, and (ii) cessation of execution of the first piece of analyzed software.
  - 8. The method of claim 7, further comprising the step of:
    - traversing a page table for the enumerating of the second physical page.
  - 9. The method of claim 1, further comprising the step of:
    - enumerating the first piece of analyzed software code by at least one of (i) reviewing process tracking structures and (ii) matching byte strings in binary executable.
  - 10. The method according to claim 3, further comprising the step of:
    - reading memory allocated for use by the virtual machine via a virtual machine introspection tool to determine if the write to the first physical page is from the first piece of analyzed software code.
  - 11. The method of claim 3, further comprising the step of:
    - reading memory allocated for use by the virtual machine via a virtual machine introspection tool to determine a written to memory address of the first physical page.
  - 12. The method of claim 11, further comprising the step of storing the memory address.
  - 13. The method of claim 12, wherein the memory address is stored in an analysis engine.
  - 14. The method according to claim 1, wherein programmatic control of the virtual machine is provided via instrumentation.
  - 15. The method of claim 1, wherein the steps of the method are implemented via an analysis engine.
  - 16. The method of claim 1, further comprising the step of:
    - enumerating a second piece of analyzed software following at least one of (i) a change in virtual address space allocation, and (ii) cessation of execution of the first piece of analyzed software.

17. A system to de-obfuscate obfuscated malicious software in a virtual machine, the system comprising:
- an analysis engine operable to update a physical page status and save the physical page status to memory upon the occurrence of at least one of (i) execution of an instruction associated with a physical page, and (ii) setting of a physical page permission to not executable.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein the analysis engine is configured to set the physical page permission to not executable based upon data or an instruction received which indicate the potential presence of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Jung, Robert, Saba, Antony

Granted Patent

US 9,459,901 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

SYSTEM AND METHOD FOR THE PROGRAMMATIC RUNTIME DE-OBFUSCATION OF OBFUSCATED SOFTWARE UTILIZING VIRTUAL MACHINE INTROSPECTION AND MANIPULATION OF VIRTUAL MACHINE GUEST MEMORY PERMISSIONS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR THE PROGRAMMATIC RUNTIME DE-OBFUSCATION OF OBFUSCATED SOFTWARE UTILIZING VIRTUAL MACHINE INTROSPECTION AND MANIPULATION OF VIRTUAL MACHINE GUEST MEMORY PERMISSIONS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links