Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator
First Claim
Patent Images
1. A computer-implemented method for using virtual fault management to analyze a program for presence of computer viruses, the method comprising the steps of:
- fetching an instruction of the program, the instruction including an opcode;
determining whether a fault is generated by the opcode;
saving components of a state of an emulator if the fault is generated; and
interrupting to a fault handler routine.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented apparatus and method for countering attempts of polymorphic viruses to evade detection by emulation-based scanners. Such attempts try to exploit differences between the real and virtual execution of instructions. The invention includes a fault manager (158) integrated into the CPU emulator (154) of a virus scanner software product. Before each instruction is emulated by the CPU emulator (154), the fault manager (158) examines the opcode of the instruction to determine (310) whether a "fault" is triggered. If a fault is triggered, the fault manager (158) saves (314) a state record on a fault stack (162), then interrupts (316) to a corresponding fault handler routine (160). The criteria for triggering a fault and the corresponding fault handler routine (160) may be obtained from an updatable data file (164).
-
Citations
16 Claims
-
1. A computer-implemented method for using virtual fault management to analyze a program for presence of computer viruses, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; saving components of a state of an emulator if the fault is generated; and interrupting to a fault handler routine. - View Dependent Claims (2, 3, 5)
-
-
4. A computer-implemented method for emulating execution of a program, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; emulating the instruction in an emulator; and
interrupting to a fault handler routine, wherein the fault handler routine is obtained from an updatable data file.
-
-
6. A computer-implemented method for emulating execution of a program, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; emulating the instruction in an emulator; interrupting to a fault handler routine; and
executing the fault handler routine in the emulator, wherein the step of executing of the fault handler routine is performed while the emulator is in a mode immune from generating faults. - View Dependent Claims (7, 8, 9)
-
-
10. A computer-implemented method for emulating execution of a program, the method comprising the steps of:
-
fetching an instruction of the program, the instruction including an opcode; determining whether a fault is generated by the opcode; emulating the instruction in an emulator; and determining whether the opcode is one of a set of special fault management opcodes, wherein the set of special fault management opcodes includes a Suspend-Fault opcode.
-
-
11. A system for using virtual fault management to analyze a program for presence of computer viruses, the system comprising:
-
a CPU emulator for emulating instructions of the program; and a fault manager incorporated into the CPU emulator for determining whether faults are generated by the instructions. - View Dependent Claims (12)
-
-
13. A computer program product comprising a computer-usable medium having computer-readable code embodied therein for using virtual fault management to analyze a program for presence of computer viruses, said product comprising:
-
at least one computer-readable program code device configured to fetch an instruction of the program, the instruction including an opcode; at least one computer-readable program code device configured to determine whether a fault is generated by the opcode; and at least one computer-readable program code device configured to emulate the instruction in an emulator. - View Dependent Claims (14, 15, 16)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeNortonLifeLock Inc.
-
Original AssigneeSymantec Corporation (NortonLifeLock Inc.)
-
InventorsNachenberg, Carey S.
-
Primary Examiner(s)An, Meng-Al T.
-
Assistant Examiner(s)Ciccozzi, John
-
Application NumberUS08/843,512Time in Patent Office909 DaysField of Search370/397, 370/440, 370/419, 364/269.4, 364/709.05, 364/550, 395/186, 395/183.09, 395/183.14, 395/181, 395/187.01, 395/182.04, 395/700, 395/550, 395/183.01, 395/183.05, 395/800.23, 395/500, 380/4, 380/2.2, 371/48, 714/25, 714/28, 714/29, 714/32, 714/34, 714/799, 712/22US Class Current714/25CPC Class CodesG06F 21/566 Dynamic detection, i.e. det...
