Proactive computer malware protection through dynamic translation
First Claim
1. A computer-implemented method for generating safe program code in response to receiving a request to execute potential malware, the method comprising:
- loading an executable into memory to be executed by a hardware processor of a computer system;
dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block and a second block, wherein the instructions of the first and second block each perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions;
prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions;
executing the safe instructions of the first block on the hardware processor;
prior to executing the second block, translating the instructions of the second block into safe instructions that perform the same functionality as the instructions of the second block, and updating the properties of the second block in the data structure to indicate that the instructions of the second block have been translated to safe instructions;
commencing to execute the safe instructions of the second block on the hardware processor;
during the execution of the safe instructions of the second block, detecting that the safe instructions of the second block modify the instructions of the first block; and
updating the properties of the first block to indicate that the instructions of the first block have not be translated such that upon attempting to execute the safe instructions of the first block, the modified instructions of the first block will be translated into new safe instructions prior to executing the first block.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention includes a system and method for translating potential malware devices into safe program code. The potential malware is translated from any one of a number of different types of source languages, including, but not limited to, native CPU program code, platform independent .NET byte code, scripting program code, and the like. Then the translated program code is compiled into program code that may be understood and executed by the native CPU. Before and/or during execution, the present invention causes a scanner to search for potential malware stored in memory. If malware is not detected, the computing device causes the CPU to execute the translated program code. However, execution and/or analysis of potential malware may be interrupted if computer memory that stores potential malware is altered during execution. In this instance, the potential malware now stored in memory is translated into safe program code before being executed.
52 Citations
22 Claims
-
1. A computer-implemented method for generating safe program code in response to receiving a request to execute potential malware, the method comprising:
-
loading an executable into memory to be executed by a hardware processor of a computer system; dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block and a second block, wherein the instructions of the first and second block each perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions; prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions; executing the safe instructions of the first block on the hardware processor; prior to executing the second block, translating the instructions of the second block into safe instructions that perform the same functionality as the instructions of the second block, and updating the properties of the second block in the data structure to indicate that the instructions of the second block have been translated to safe instructions; commencing to execute the safe instructions of the second block on the hardware processor; during the execution of the safe instructions of the second block, detecting that the safe instructions of the second block modify the instructions of the first block; and updating the properties of the first block to indicate that the instructions of the first block have not be translated such that upon attempting to execute the safe instructions of the first block, the modified instructions of the first block will be translated into new safe instructions prior to executing the first block. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method for generating safe program code in response to receiving a request to execute potential malware, the method comprising:
-
loading an executable into memory to be executed by a hardware processor of a computer system; dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block, wherein the instructions of the first block perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions; prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions; executing the safe instructions of the first block on the hardware processor; during the execution of the safe instructions of the first block, detecting that a safe instruction of the first block modifies one or more instructions of the first block that are after the current execution point; splitting the first block into two blocks, the first split block containing the safe instructions that had already been executed prior to the modification of the one or more instructions, the second split block containing the instructions of the first block after the current execution point including the modified one or more instructions; and translating the instructions of the second split block into new safe instructions prior to executing the second split block. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer storage medium storing computer executable instructions which when executed by a processor of a computer system generate safe program code in response to receiving a request to execute potential malware by performing the following:
-
loading an executable into memory to be executed by a hardware processor of the computer system; dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block and a second block, wherein the instructions of the first and second block each perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions; prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions; executing the safe instructions of the first block on the hardware processor; prior to executing the second block, translating the instructions of the second block into safe instructions that perform the same functionality as the instructions of the second block, and updating the properties of the second block in the data structure to indicate that the instructions of the second block have been translated to safe instructions; commencing to execute the safe instructions of the second block on the hardware processor; during the execution of the safe instructions of the second block, detecting that the safe instructions of the second block modify the instructions of the first block; and updating the properties of the first block to indicate that the instructions of the first block have not be translated such that upon attempting to execute the safe instructions of the first block, the modified instructions of the first block will be translated into new safe instructions prior to executing the first block. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
Specification