Detecting malicious software through process dump scanning
First Claim
1. A system for detecting malicious software on a computer executing a process, comprising:
- a computer-readable storage medium storing executable computer program modules comprising;
a signature module adapted tohold signatures identifying malicious software;
a memory dump module adapted tocreate a memory dump containingan executable file image
based on the process;
a signature scanning module adapted todetermine whetherthe memory dump includes
a signature held by the signature module; and
a reporting module adapted toreport an outcome ofthe determination to
an end-user of the computer; and
a processorfor executing the computer program modules.
2 Assignments
0 Petitions
Accused Products
Abstract
An executable file containing malicious software can be packed using a packer to make the software difficult to detect. The executable file is loaded into the computer'"'"'s memory and executed as a process. A memory dump module analyzes the address space for the process and identifies an executable file image within it. The memory dump module creates a memory dump file on the computer'"'"'s storage device containing the file image and modifies the file to make it resemble a normal executable file. A signature scanning module scans the memory dump file for signatures of malicious software. If a signature is found in the file, a reporting module sends the host file for the process and the memory dump file to a security server for analysis.
271 Citations
20 Claims
-
1. A system for detecting malicious software on a computer executing a process, comprising:
-
a computer-readable storage medium storing executable computer program modules comprising; a signature module adapted to hold signatures identifying malicious software; a memory dump module adapted to create a memory dump containing an executable file image
based on the process;a signature scanning module adapted to determine whether the memory dump includes
a signature held by the signature module; anda reporting module adapted to report an outcome of the determination to
an end-user of the computer; anda processor for executing the computer program modules. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for detecting malicious software on a computer executing a process in an address space, comprising:
-
determining a memory range in the address space of the process containing an executable file image; creating a memory dump of the executable file image; determining whether the memory dump includes a signature identifying malicious software; and reporting an outcome of the determination to an end-user of the computer. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product having a computer-readable medium having computer program code embodied therein for detecting malicious software on a computer executing a process, the computer program code comprising:
-
a signature module adapted to hold signatures identifying malicious software; a memory dump module adapted to create a memory dump containing an executable file image based on the process; a signature scanning module adapted to determine whether the memory dump includes a signature held by the signature module; and a reporting module adapted to report an outcome of the determination to an end-user of the computer. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification