METHOD, APPARATUS AND VIRTUAL MACHINE FOR DETECTING MALICIOUS PROGRAM
First Claim
1. A method for detecting malicious program(s), comprising:
- setting a virtual memory;
reading a Master Boot Record, MBR, and storing the MBR in the virtual memory; and
executing each instruction of the MBR in the virtual memory simulatedly, and detecting whether the virtual memory is modified after executing each instruction, if so, a malicious program is found, otherwise, continuing to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, an apparatus and a virtual machine for detecting a malicious program(s) are disclosed. The method comprises: setting a virtual memory (301); reading a Master Boot Record (MBR) and storing the MBR in the virtual memory (302); and executing each instruction of the MBR in the virtual memory simulatedly, and detecting whether the virtual memory is modified after executing each instruction (303); if so, a malicious program is found, otherwise, continuing to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR. The technical solution can find the deformed malicious program(s).
-
Citations
22 Claims
-
1. A method for detecting malicious program(s), comprising:
-
setting a virtual memory; reading a Master Boot Record, MBR, and storing the MBR in the virtual memory; and executing each instruction of the MBR in the virtual memory simulatedly, and detecting whether the virtual memory is modified after executing each instruction, if so, a malicious program is found, otherwise, continuing to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR. - View Dependent Claims (2, 3, 4, 5, 6, 17, 18, 19)
-
-
7. An apparatus for detecting malicious program(s), comprising:
-
a first setting module, adapted to set a virtual memory; a reading and storing module, adapted to read a Master Boot Record, MBR, and store the MBR in the virtual memory; a simulating execution module, adapted to execute each instruction of the MBR in the virtual memory simulatedly; and a detecting module, adapted to detect whether the virtual memory is modified after the simulating execution module completes an execution of each instruction, if so, a malicious program is found;
otherwise, triggering the simulating execution module to continue to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR. - View Dependent Claims (8, 9, 10, 11, 20, 21)
-
-
12. A virtual machine for detecting malicious program(s), comprising:
-
a virtual CPU initialization module, adapted to initialize a virtual CPU; a virtual memory initialization module, adapted to initialize a virtual memory, and read the MBR during the initialization process and then store the MBR in the virtual memory; the virtual memory, adapted to store the MBR; and the virtual CPU, adapted to execute each instruction of the MBR in the virtual memory simulatedly, and detect whether the virtual memory is modified after executing each instruction, if so, a malicious program is found;
otherwise, continue to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR. - View Dependent Claims (13, 14, 22)
-
-
15. (canceled)
-
16. (canceled)
Specification