Detecting computer viruses or malicious software by patching instructions into an emulator
First Claim
1. A method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:
- receiving the suspect code;
loading the suspect code into an emulator buffer within a data space of a computer system;
loading a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation.
10 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code. During operation, the system loads a first emulator extension into the emulator. This first emulator extension includes program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software. The system also loads the suspect code into an emulator buffer. Next, the system performs an emulation using the first emulator extension and the suspect code. This emulation is performed within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the suspect code. During this emulation, the system determines whether the suspect code is likely to exhibit malicious behavior. In one embodiment of the present invention, loading the first emulator extension into the emulator involves loading the first emulator extension into the emulator buffer within the emulator. In this embodiment, performing the emulation involves emulating the program instructions that comprise the first emulator extension.
309 Citations
37 Claims
-
1. A method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:
-
receiving the suspect code;
loading the suspect code into an emulator buffer within a data space of a computer system;
loading a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:
-
receiving the suspect code;
loading the suspect code into an emulator buffer within a data space of a computer system;
loading a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. An apparatus that emulates computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the apparatus comprising:
-
a loading mechanism that is configured to load the suspect code into an emulator buffer within a data space of a computer system;
wherein the loading mechanism is additionally configured to load a first emulator extension into the emulator, the emulator capable of performing an emulation using emulation code, the first emulator extension including program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the computer virus and/or malicious software within the suspect code;
an emulation mechanism that is configured to perform the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and
a determination mechanism that is configured to determine whether the suspect code is likely to exhibit malicious behavior based upon the emulation. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification