SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM REGULATION AND CONTROL OF SELF-MODIFYING CODE
First Claim
1. An article of manufacture, comprising:
- a non-transitory computer readable medium;
computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
trap, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems;
record information associated with the attempted access in a history in response to trapping the attempted access to memory;
analyze information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, wherein analyzing information includes;
identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location;
identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and
identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations;
initiate corrective action in response to determining suspicious behavior respect to the particular memory location;
determine whether the particular memory location has been affected by malware; and
initiate further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of;
disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.
10 Assignments
0 Petitions
Accused Products
Abstract
A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location.
-
Citations
24 Claims
-
1. An article of manufacture, comprising:
-
a non-transitory computer readable medium; computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; trap, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems; record information associated with the attempted access in a history in response to trapping the attempted access to memory; analyze information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, wherein analyzing information includes; identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location; identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations; initiate corrective action in response to determining suspicious behavior respect to the particular memory location; determine whether the particular memory location has been affected by malware; and initiate further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of; disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for securing an electronic device, comprising:
-
a memory; a processor; one or more operating systems residing in the memory for execution by the processor; a security agent configured to; execute on the electronic device at higher priority than all operating systems of the electronic device; trap an attempted access of a particular memory location in the memory based upon an indication that the attempted access is associated with self-modifying malware; record information associated with the attempted access in a history; determine whether suspicious behavior is related to the particular memory location based on information in the history indicating that content was copied between memory locations, that the content was subsequently modified, and that the processor subsequently attempted to execute the content; determine whether suspicious behavior is related to the particular memory location based on information in the history indicating attempted execution of a plurality of memory locations that each have a common memory location ancestor; determine whether suspicious behavior is related to the particular memory location based on information in the history indicating content at the particular memory location has ancestors at a plurality of other memory locations; initiate corrective action in response to determining suspicious behavior related to the particular memory location; determine whether the particular memory location has been affected by malware; and initiate further corrective action in response to determining that the particular memory location has been affected by malware, including at least one of;
disallowing execution of content associated with the particular memory location, reversing changes to the content described in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An article of manufacture, comprising:
-
a non-transitory computer readable medium; computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to, at a higher priority than all operating systems of an electronic device; identify that an attempted access of a particular memory location in memory indicates self-modifying malware; trap the attempted access; record information about the attempted access in a history; determine possible suspicious behavior related to the particular memory location based on information in the history indicating that content was copied between memory locations, that the content was subsequently modified, and that the processor subsequently attempted to execute the content; determine possible suspicious behavior related to the particular memory location based on information in the history indicating attempted execution of a plurality of memory locations that each have a common memory location ancestor; determine possible suspicious behavior related to the particular memory location based on information in the history indicating that content at the particular memory location has ancestors at a plurality of other memory locations; initiate corrective action in response to determining any possible suspicious behavior related to the particular memory location; determine whether the particular memory location has been affected by malware; and initiate further corrective action in response to determining that the particular memory location has been affected by malware, including at least one of; disallowing execution of content associated with the particular memory location, reversing changes to the content described in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content; wherein the electronic device includes one or more operating systems. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method for securing an electronic device, comprising:
-
trapping, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems; recording information associated with the attempted access in a history in response to trapping the attempted access to memory; and analyzing information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, comprising; identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location; identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations; initiating corrective action in response to determining suspicious behavior respect to the particular memory location; determining whether the particular memory location has been affected by malware; and initiating further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of;
disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.- View Dependent Claims (20, 21, 22, 23, 24)
-
Specification