Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator
First Claim
1. A computer-implemented method for using virtual fault management to analyze a program for presence of computer viruses, the method comprising the steps of:
- fetching an instruction of the program, the instruction including an opcode;
determining whether a fault is generated by the opcode;
saving components of a state of an emulator if the fault is generated; and
interrupting to a fault handler routine.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented apparatus and method for countering attempts of polymorphic viruses to evade detection by emulation-based scanners. Such attempts try to exploit differences between the real and virtual execution of instructions. The invention includes a fault manager (158) integrated into the CPU emulator (154) of a virus scanner software product. Before each instruction is emulated by the CPU emulator (154), the fault manager (158) examines the opcode of the instruction to determine (310) whether a "fault" is triggered. If a fault is triggered, the fault manager (158) saves (314) a state record on a fault stack (162), then interrupts (316) to a corresponding fault handler routine (160). The criteria for triggering a fault and the corresponding fault handler routine (160) may be obtained from an updatable data file (164).
-
Citations
16 Claims
-
1. A computer-implemented method for using virtual fault management to analyze a program for presence of computer viruses, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; saving components of a state of an emulator if the fault is generated; and interrupting to a fault handler routine. - View Dependent Claims (2, 3, 5)
-
-
4. A computer-implemented method for emulating execution of a program, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; emulating the instruction in an emulator; and
interrupting to a fault handler routine, wherein the fault handler routine is obtained from an updatable data file.
-
-
6. A computer-implemented method for emulating execution of a program, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; emulating the instruction in an emulator; interrupting to a fault handler routine; and
executing the fault handler routine in the emulator, wherein the step of executing of the fault handler routine is performed while the emulator is in a mode immune from generating faults. - View Dependent Claims (7, 8, 9)
-
-
10. A computer-implemented method for emulating execution of a program, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; emulating the instruction in an emulator; and determining whether the opcode is one of a set of special fault management opcodes, wherein the set of special fault management opcodes includes a Suspend-Fault opcode.
-
-
11. A system for using virtual fault management to analyze a program for presence of computer viruses, the system comprising:
-
a CPU emulator for emulating instructions of the program; and a fault manager incorporated into the CPU emulator for determining whether faults are generated by the instructions. - View Dependent Claims (12)
-
-
13. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for using virtual fault management to analyze a program for presence of computer viruses, said product comprising:
-
at least one computer-readable program code device configured to fetch an instruction of the program, the instruction including an opcode; at least one computer-readable program code device configured to determine whether a fault is generated by the opcode; and at least one computer-readable program code device configured to emulate the instruction in an emulator. - View Dependent Claims (14, 15, 16)
-
Specification