Detecting malicious software through process dump scanning

US 7,568,233 B1
Filed: 04/01/2005
Issued: 07/28/2009
Est. Priority Date: 04/01/2005
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious software on a computer executing a process, comprising:

a computer-readable storage medium storing executable computer program modules comprising;

a signature module adapted tohold signatures identifying malicious software;

a memory dump module adapted tocreate a memory dump containingan executable file image

based on the process;

a signature scanning module adapted todetermine whetherthe memory dump includes

a signature held by the signature module; and

a reporting module adapted toreport an outcome ofthe determination to

an end-user of the computer; and

a processorfor executing the computer program modules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An executable file containing malicious software can be packed using a packer to make the software difficult to detect. The executable file is loaded into the computer'"'"'s memory and executed as a process. A memory dump module analyzes the address space for the process and identifies an executable file image within it. The memory dump module creates a memory dump file on the computer'"'"'s storage device containing the file image and modifies the file to make it resemble a normal executable file. A signature scanning module scans the memory dump file for signatures of malicious software. If a signature is found in the file, a reporting module sends the host file for the process and the memory dump file to a security server for analysis.

271 Citations

20 Claims

1. A system for detecting malicious software on a computer executing a process, comprising:
- a computer-readable storage medium storing executable computer program modules comprising;
  
  a signature module adapted tohold signatures identifying malicious software;
  
  a memory dump module adapted tocreate a memory dump containingan executable file image
  
  based on the process;
  
  a signature scanning module adapted todetermine whetherthe memory dump includes
  
  a signature held by the signature module; and
  
  a reporting module adapted toreport an outcome ofthe determination to
  
  an end-user of the computer; and
  
  a processorfor executing the computer program modules.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, further comprising:
    - a server interface module adapted tointeract witha security servervia a network; and
      
      wherein the reporting module isin communication with the server interface module and further adapted toprovide the memory dump tothe security server.
  - 3. The system of claim 1, wherein the process executes in an address space and wherein the memory dump module is further adapted to:
    - determine a memory region in the process'"'"'s address space containing the executable file image; and
      
      create the memory dump responsive to the determined memory region.
  - 4. The system of claim 1, wherein the computer is executing an operating system and wherein the memory dump module is further adapted to:
    - query the operating system for information describing a memory range containing the executable file image; and
      
      determine whether the information describing the memory range is suspicious.
  - 5. The system of claim 4, wherein the process executes in an address space and wherein the memory dump module is further adapted to:
    - analyze the process'"'"'s address space to determine the memory range containing the executable file image responsive to a determination that the information describing the memory range is suspicious.
  - 6. The system of claim 1, wherein the memory dump module is further adapted to:
    - alter the memory dump to make it resemble an executable file.

7. A method for detecting malicious software on a computer executing a process in an address space, comprising:
- determining a memory rangein the address space of the process containingan executable file image;
  
  creating a memory dump ofthe executable file image;
  
  determining whetherthe memory dump includesa signature identifying malicious software; and
  
  reporting an outcome ofthe determination toan end-user of the computer.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, further comprising:
    - providing the memory dump to a security server for subsequent analysis.
  - 9. The method of claim 7, wherein the computer is executing an operating system and wherein determining a memory range comprises:
    - querying the operating system for information describing the memory range containing the executable file image; and
      
      determining whether the information describing the memory range is suspicious.
  - 10. The method of claim 9, further comprising:
    - analyzing the process'"'"'s address space to determine the memory range containing the executable file image responsive to a determination that the information describing the memory range is suspicious.
  - 11. The method of claim 7, wherein creating a memory dump further comprises:
    - altering the memory dump to make it resemble an executable file.
  - 12. The method of claim 7, wherein creating a memory dump further comprises creating the memory dump at a random time period after the process begins executing.
  - 13. The method of claim 7, wherein creating a memory dump further comprises creating the memory dump at a predetermined time period after the process begins executing.
  - 14. The method of claim 7, wherein creating a memory dump further comprises creating the memory dump responsive to an action performed by the process.

15. A computer program product having a computer-readable medium having computer program code embodied therein for detecting malicious software on a computer executing a process, the computer program code comprising:
- a signature module adapted tohold signatures identifying malicious software;
  
  a memory dump module adapted tocreate a memory dump containingan executable file imagebased on the process;
  
  a signature scanning module adapted todetermine whetherthe memory dump includesa signature held by the signature module; and
  
  a reporting module adapted toreport an outcome ofthe determination toan end-user of the computer.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, further comprising:
    - a server interface module adapted tointeract witha security servervia a network; and
      
      wherein the reporting module isin communication with the server interface module and further adapted toprovide the memory dump tothe security server.
  - 17. The computer program product of claim 15, wherein the process executes in an address space and wherein the memory dump module is further adapted to:
    - determine a memory region in the process'"'"'s address space containing the executable file image; and
      
      create the memory dump responsive to the determined memory region.
  - 18. The computer program product of claim 15, wherein the computer is adapted to execute an operating system and wherein the memory dump module is further adapted to:
    - query the operating system for information describing a memory range containing the executable file image; and
      
      determine whether the information describing the memory range is suspicious.
  - 19. The computer program product of claim 18, wherein the process executes in an address space and wherein the memory dump module is further adapted to:
    - analyze the process'"'"'s address space to determine the memory range containing the executable file image responsive to a determination that the information describing the memory range is suspicious.
  - 20. The computer program product of claim 15, wherein the memory dump module is further adapted to:
    - alter the memory dump to make it resemble an executable file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter, Ferrie, Peter
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Baum; Ronald

Application Number

US11/097,790
Time in Patent Office

1,579 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/564 by virus signature recognition

Detecting malicious software through process dump scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

271 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detecting malicious software through process dump scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

271 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others