METHOD, APPARATUS AND VIRTUAL MACHINE FOR DETECTING MALICIOUS PROGRAM

US 20140351935A1
Filed: 08/24/2012
Published: 11/27/2014
Est. Priority Date: 09/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious program(s), comprising:

setting a virtual memory;

reading a Master Boot Record, MBR, and storing the MBR in the virtual memory; and

executing each instruction of the MBR in the virtual memory simulatedly, and detecting whether the virtual memory is modified after executing each instruction, if so, a malicious program is found, otherwise, continuing to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus and a virtual machine for detecting a malicious program(s) are disclosed. The method comprises: setting a virtual memory (301); reading a Master Boot Record (MBR) and storing the MBR in the virtual memory (302); and executing each instruction of the MBR in the virtual memory simulatedly, and detecting whether the virtual memory is modified after executing each instruction (303); if so, a malicious program is found, otherwise, continuing to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR. The technical solution can find the deformed malicious program(s).

Citations

22 Claims

1. A method for detecting malicious program(s), comprising:
- setting a virtual memory;
  
  reading a Master Boot Record, MBR, and storing the MBR in the virtual memory; and
  
  executing each instruction of the MBR in the virtual memory simulatedly, and detecting whether the virtual memory is modified after executing each instruction, if so, a malicious program is found, otherwise, continuing to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR.
- View Dependent Claims (2, 3, 4, 5, 6, 17, 18, 19)
- - 2. The method according to claim 1, wherein the step of detecting whether the virtual memory is modified comprises:
    - detecting whether the size of the virtual memory is changed, if so, the virtual memory being modified;
      
      otherwise, the virtual memory being not modified.
  - 3. The method according to claim 1, wherein before the step of setting a virtual memory, the method further comprises:
    - setting a virtual CPU;
      
      then the step of executing each instruction of the MBR in the virtual memory simulatedly comprising;
      
      executing each instruction of the MBR in the virtual memory by the virtual CPU.
  - 4. The method according to claim 3, wherein,the step of setting a virtual CPU comprises:
    - initializing the virtual CPU;
      
      the step of setting a virtual memory comprises;
      
      initializing a BIOS data area, wherein the BIOS data area is used to store the size of the virtual memory.
  - 5. The method according to claim 1, wherein,before the step of executing each instruction of the MBR in the virtual memory simulatedly, the method further comprises:
    - setting a virtual hard disk;
      
      then the step of executing each instruction of the MBR in the virtual memory simulatedly comprising;
      
      copying the MBR in the virtual memory to the virtual hard disk; and
      
      reading the MBR from the virtual hard disk and executing each instruction of the MBR simulatedly.
  - 6. The method according to claim 1, wherein the method further comprises:
    - disassembling each instruction of the MBR and outputting to display.
  - 17. The method according to claim 2, wherein before the step of setting a virtual memory, the method further comprises:
    - setting a virtual CPU;
      
      then the step of executing each instruction of the MBR in the virtual memory simulatedly comprising;
      
      executing each instruction of the MBR in the virtual memory by the virtual CPU.
  - 18. The method according to claim 17, wherein,the step of setting a virtual CPU comprises:
    - initializing the virtual CPU;
      
      the step of setting a virtual memory comprises;
      
      initializing a BIOS data area, wherein the BIOS data area is used to store the size of the virtual memory.
  - 19. The method according to claim 2, wherein,before the step of executing each instruction of the MBR in the virtual memory simulatedly, the method further comprises:
    - setting a virtual hard disk;
      
      then the step of executing each instruction of the MBR in the virtual memory simulatedly comprising;
      
      copying the MBR in the virtual memory to the virtual hard disk; and
      
      reading the MBR from the virtual hard disk and executing each instruction of the MBR simulatedly.

7. An apparatus for detecting malicious program(s), comprising:
- a first setting module, adapted to set a virtual memory;
  
  a reading and storing module, adapted to read a Master Boot Record, MBR, and store the MBR in the virtual memory;
  
  a simulating execution module, adapted to execute each instruction of the MBR in the virtual memory simulatedly; and
  
  a detecting module, adapted to detect whether the virtual memory is modified after the simulating execution module completes an execution of each instruction, if so, a malicious program is found;
  
  otherwise, triggering the simulating execution module to continue to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR.
- View Dependent Claims (8, 9, 10, 11, 20, 21)
- - 8. The apparatus according to claim 7, whereinthe detecting module judges whether the virtual memory is modified by detecting whether the size of the virtual memory is changed, if the size is changed, the virtual memory is modified;
    - otherwise, the virtual memory is not modified.
  - 9. The apparatus according to claim 7, wherein the apparatus further comprises:
    - a second setting module, adapted to set a virtual CPU, wherein the virtual CPU triggers the execution of the simulating execution module and the detecting module.
  - 10. The apparatus according to claim 7, wherein the apparatus further comprises:
    - a third setting module, adapted to set a virtual hard disk, and copy the MBR in the virtual memory to the virtual hard disk;
      
      then the simulating execution module reading the MBR from the virtual hard disk and executing each instruction of the MBR simulatedly.
  - 11. The apparatus according to claim 8, wherein the apparatus further comprises:
    - a disassembling engine, adapted to disassemble each instruction of the MBR and output to display.
  - 20. The apparatus according to claim 8, wherein the apparatus further comprises:
    - a second setting module, adapted to set a virtual CPU, wherein the virtual CPU triggers the execution of the simulating execution module and the detecting module.
  - 21. The apparatus according to claim 8, wherein the apparatus further comprises:
    - a third setting module, adapted to set a virtual hard disk, and copy the MBR in the virtual memory to the virtual hard disk;
      
      then the simulating execution module reading the MBR from the virtual hard disk and executing each instruction of the MBR simulatedly.

12. A virtual machine for detecting malicious program(s), comprising:
- a virtual CPU initialization module, adapted to initialize a virtual CPU;
  
  a virtual memory initialization module, adapted to initialize a virtual memory, and read the MBR during the initialization process and then store the MBR in the virtual memory;
  
  the virtual memory, adapted to store the MBR; and
  
  the virtual CPU, adapted to execute each instruction of the MBR in the virtual memory simulatedly, and detect whether the virtual memory is modified after executing each instruction, if so, a malicious program is found;
  
  otherwise, continue to execute the next instruction simulatedly until completing simulation execution of all instructions of the MBR.
- View Dependent Claims (13, 14, 22)
- - 13. The virtual machine according to claim 12, wherein the virtual machine further comprises:
    - a virtual hard disk initialization module, adapted to initialize a virtual hard disk, and copy the MBR in the virtual memory to the virtual hard disk during the initialization, wherein the virtual CPU reads the MBR from the virtual hard disk and executes the MBR simulatedly;
      
      the virtual hard disk, adapted to store the MBR copied.
  - 14. The virtual machine according to claim 12, wherein the virtual machine further comprises:
    - a disassembling engine, adapted to disassemble each instruction of the MBR and output to display.
  - 22. The virtual machine according to claim 13, wherein the virtual machine further comprises:
    - a disassembling engine, adapted to disassemble each instruction of the MBR and output to display.

15. (canceled)

16. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
Shao, Jianlei, Tan, Heli

Granted Patent

US 10,146,938 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/575   Secure boot

G06F 9/45533   Hypervisors; Virtual machin...

METHOD, APPARATUS AND VIRTUAL MACHINE FOR DETECTING MALICIOUS PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, APPARATUS AND VIRTUAL MACHINE FOR DETECTING MALICIOUS PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links