Analytical virtual machine
First Claim
Patent Images
1. A system for computer code behavior analysis of a target program, the system comprising:
- a physical processor of a host real computer system configured to create a behavior record in memory to store behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within a virtual machine system, the virtual machine system comprising computer code executed by the physical processor;
a sequencer comprising computer code executed by the physical processor that stores a sequence in which behavior flags are set and reset in the behavior record during virtual execution of the target program under analysis by the virtual machine system; and
computer code executed by the physical processor which simulates memory within the virtual machine system and automatically configured with a memory map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program;
computer code executed by the physical processor which simulates an operating system within the virtual machine system, the operating system comprising one or more layered operating system shells that correspond with the memory map so that the virtual machine system in conjunction with the physical processor is capable of executing DOS target programs, the target program under analysis interacting with the memory of the virtual machine system and the operating system of the virtual machine system to generate the behavior flags, the one or more layered operating system shells simulating values of the host real computer system;
execution of the computer code of the target program by the virtual machine system causing the physical processor to set and reset behavior flags in the sequencer that tracks behavior of the target program in response to the simulated values during execution of the target program by the virtual machine system;
wherein the virtual machine system passes data representative of the behavior record to the host real computer system prior to termination of the virtual machine system; and
the host real computer system evaluating the behavior flags and sequence in which the behavior flags are set and reset to determine if the target program contains malicious code.
3 Assignments
0 Petitions
Accused Products
Abstract
An analytical virtual machine (AVM) analyzes computer code using a software processor including a register that stores behavior flags indicative of behaviors identified by virtually executing the code within the virtual machine. The AVM includes a sequencer that stores the sequence in which behavior flags are set in the behavior flags register. The AVM analyzes machine performance by emulating execution of the code being analyzed on a fully virtual machine and records the observed behavior. When emulation and analysis are complete, the AVM returns the behavior flags register and sequencer to the real machine and terminates.
-
Citations
17 Claims
-
1. A system for computer code behavior analysis of a target program, the system comprising:
-
a physical processor of a host real computer system configured to create a behavior record in memory to store behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within a virtual machine system, the virtual machine system comprising computer code executed by the physical processor; a sequencer comprising computer code executed by the physical processor that stores a sequence in which behavior flags are set and reset in the behavior record during virtual execution of the target program under analysis by the virtual machine system; and computer code executed by the physical processor which simulates memory within the virtual machine system and automatically configured with a memory map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program; computer code executed by the physical processor which simulates an operating system within the virtual machine system, the operating system comprising one or more layered operating system shells that correspond with the memory map so that the virtual machine system in conjunction with the physical processor is capable of executing DOS target programs, the target program under analysis interacting with the memory of the virtual machine system and the operating system of the virtual machine system to generate the behavior flags, the one or more layered operating system shells simulating values of the host real computer system; execution of the computer code of the target program by the virtual machine system causing the physical processor to set and reset behavior flags in the sequencer that tracks behavior of the target program in response to the simulated values during execution of the target program by the virtual machine system; wherein the virtual machine system passes data representative of the behavior record to the host real computer system prior to termination of the virtual machine system; and the host real computer system evaluating the behavior flags and sequence in which the behavior flags are set and reset to determine if the target program contains malicious code. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for computer code behavior analysis of a target program, the system comprising:
-
a flag tracker comprising computer code of a virtual machine system executed by a physical processor that stores behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within the virtual machine system, the virtual machine system comprising a plurality of computer code executed by the physical processor; a sequencer comprising computer code of the virtual machine system executed by the physical processor that stores a sequence in which behavior flags are set and reset during virtual execution of the computer code of the target program under analysis within the virtual machine system; an entry point table comprising computer code of the virtual machine system executed by the physical processor that stores all entry points of the target program under analysis within the virtual machine system; an interrupter comprising computer code of the virtual machine system executed by the physical processor that stores interrupt vector addresses, pointing at interrupt service routines loaded into physical memory reserved by the virtual machine system when the virtual machine system is initialized; an I/O simulator comprising computer code of the virtual machine system executed by the physical processor which simulates input and output ports; virtual memory comprising computer code of the virtual machine system executed by the physical processor which is automatically configured with a map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program; one or more layered operating system simulation shells comprising computer code of the virtual machine system executed by the physical processor that simulate values returned by a real operating system under which the computer code of the target program under analysis is intended to interact, the one or more layered operating system shells corresponding with the map so that the virtual machine system in conjunction with the physical processor is capable of executing DOS target programs; execution of the computer code of the target program by the virtual machine system causing the physical processor to set and reset behavior flags in the flag tracker which tracks behavior of the target program in response to the simulated values during execution of the target program by the virtual machine system; and a host real computer system evaluating the behavior flags and sequence in which the behavior flags are set and reset to determine if the target program contains malicious code. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computerized method for identifying malicious code in a target program running in a virtual machine of a host computer system, the method comprising:
-
automatically configuring a memory map of the virtual machine by assigning areas of the memory map to receive predetermined types of data from the target program based on a file format in order to execute the target program; constructing the virtual machine from one or more layered operating system shells that correspond with the memory map so that the virtual machine is capable of executing DOS target programs; simulating values of the virtual machine with the one or more layered operating system shells of the virtual machine; setting and resetting behavior flags in a register in order to track behavior of the target program in response to the simulated values during execution of the target program by the virtual machine; forming sequence flag data by storing a sequence in which the behavior flags are set and reset in the register by the target program during execution of the target program by the virtual machine; passing behavior flag data and sequence flag data from the virtual machine to the host computer system for evaluation after execution of the target program by the virtual machine; and evaluating the behavior flag data and sequence flag data with the host computer system to determine if the target program contains malicious code. - View Dependent Claims (16, 17)
-
Specification