SYSTEM AND METHOD FOR THE PROGRAMMATIC RUNTIME DE-OBFUSCATION OF OBFUSCATED SOFTWARE UTILIZING VIRTUAL MACHINE INTROSPECTION AND MANIPULATION OF VIRTUAL MACHINE GUEST MEMORY PERMISSIONS
First Claim
Patent Images
1. A method to de-obfuscate obfuscated malicious software code in a virtual machine, the method comprising the steps of:
- enumerating a first physical page associated with a virtual address space of a first piece of analyzed software code;
setting the first physical page to non writable; and
detecting a write to the first physical page.
10 Assignments
0 Petitions
Accused Products
Abstract
A system and method operable to programmatically perform runtime de-obfuscation of obfuscated software via virtual machine introspection and manipulation of virtual machine guest memory permissions.
-
Citations
18 Claims
-
1. A method to de-obfuscate obfuscated malicious software code in a virtual machine, the method comprising the steps of:
-
enumerating a first physical page associated with a virtual address space of a first piece of analyzed software code; setting the first physical page to non writable; and detecting a write to the first physical page. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system to de-obfuscate obfuscated malicious software in a virtual machine, the system comprising:
an analysis engine operable to update a physical page status and save the physical page status to memory upon the occurrence of at least one of (i) execution of an instruction associated with a physical page, and (ii) setting of a physical page permission to not executable. - View Dependent Claims (18)
Specification