Automated unpacking of executables packed by multiple layers of arbitrary packers
First Claim
1. A computer program product for automated detection of dynamically unpacked malicious code, the computer program product comprising a non-transitory computer-readable medium containing computer program code for performing the method comprising:
- detecting an attempt by a program to dynamically generate content to a memory page, wherein the program is suspected to be unpacking malicious executable code to the memory page;
marking the memory page to which the program attempted to dynamically generate content;
allowing the program to dynamically generate the content to the memory page until the program attempts to execute code stored on the memory page;
detecting an attempt by the program to execute the code stored in the memory page, the detection occurring before the execution occurs; and
providing to a malicious code detection module the memory page for analysis for the presence of malicious code.
5 Assignments
0 Petitions
Accused Products
Abstract
The packing manager provides an automated method that allows existing AV scanning technology to be applied to detect known malware samples packed by one or more packers that are potentially proprietary. The packing manager tracks the memory areas to which an executable binary writes and executes, and so can unpack programs packed by multiple arbitrary packers without requiring reverse-engineering of the packers or any human intervention. By tracking page modification and execution of an executable binary at run time, the packing control module can detect the instant at which the program'"'"'s control is first transferred to a page whose content is dynamically generated, so AV scanning can then be invoked. Thus, code cannot be executed under the packing control manager without being scanned by an AV scanner first.
241 Citations
20 Claims
-
1. A computer program product for automated detection of dynamically unpacked malicious code, the computer program product comprising a non-transitory computer-readable medium containing computer program code for performing the method comprising:
-
detecting an attempt by a program to dynamically generate content to a memory page, wherein the program is suspected to be unpacking malicious executable code to the memory page; marking the memory page to which the program attempted to dynamically generate content; allowing the program to dynamically generate the content to the memory page until the program attempts to execute code stored on the memory page; detecting an attempt by the program to execute the code stored in the memory page, the detection occurring before the execution occurs; and providing to a malicious code detection module the memory page for analysis for the presence of malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method of automated detection of dynamically unpacked malicious code, the method comprising:
-
detecting an attempt by a program to dynamically generate content to a memory page, wherein the program is suspected to be unpacking malicious executable code to the memory page; marking the memory page to which the program attempted to dynamically generate content; allowing the program to dynamically generate the content to the memory page until the program attempts to execute code stored on the memory page; detecting an attempt by the program to execute the code stored in the memory page, the detection occurring before the execution occurs; and providing to a malicious code detection module the memory page for analysis for the presence of malicious code. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer system automated detection of dynamically unpacked malicious code, the system comprising:
-
a dynamic content detection module for detecting an attempt by a program to dynamically generate content to a memory page, wherein the program is suspected to be unpacking malicious executable code to the memory page; a marking module for marking the memory page to which the program attempted to dynamically generate content; a permission module for allowing the program to dynamically generate the content to the memory page until the program attempts to execute code stored on the memory page; an execution detection module detecting an attempt by the program to execute the code stored in the memory page, the detection occurring before the execution occurs; and an analysis module for providing to a malicious code detection module the memory page for analysis for the presence of malicious code. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification