Emulation system, method, and computer program product for passing system calls to an operating system for direct execution

US 8,290,763 B1
Filed: 09/04/2008
Issued: 10/16/2012
Est. Priority Date: 09/04/2008
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a non-transitory computer readable storage medium for performing operations, comprising:

loading a file into a sandbox coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched;

emulating instructions associated with the loaded file;

identifying system calls resulting from the emulation;

determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and

receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An emulation system, method, and computer program product are provided for passing system calls to an operating system for direct execution. In operation, a file is loaded into memory and instructions associated with the loaded file are emulated. Furthermore, system calls resulting from the emulation are identified. Still yet, at least a portion of the system calls are passed to an operating system for direct execution thereof. In addition, application programming interfaces are provided for external components to access, to monitor and to control the aforementioned system.

47 Citations

View as Search Results

18 Claims

1. A computer program product embodied on a non-transitory computer readable storage medium for performing operations, comprising:
- loading a file into a sandbox coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched;
  
  emulating instructions associated with the loaded file;
  
  identifying system calls resulting from the emulation;
  
  determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and
  
  receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer program product of claim 1, wherein the emulation is performed utilizing a central processing unit emulator.
  - 3. The computer program product of claim 1, wherein the systems calls that are identified include system calls with destination addresses outside a sample image associated with the emulation.
  - 4. The computer program product of claim 1, wherein the system calls are classified into different categories.
  - 5. The computer program product of claim 4, wherein the system calls are processed differently based on an associated category.
  - 6. The computer program product of claim 1, the operations further comprising:
    - determining whether the system calls include file system calls that are related to at least one file.
  - 7. The computer program product of claim 6, wherein the at least one file includes a registry.
  - 8. The computer program product of claim 6, wherein the file system calls are quarantined.
  - 9. The computer program product of claim 8, wherein modifications associated with the file system calls are stored in a quarantine database.
  - 10. The computer program product of claim 1, the operations further comprising:
    - determining whether the file is safe.
  - 11. The computer program product of claim 10, wherein the modifications continue to be quarantined if it is determined that the file is not safe.
  - 12. The computer program product of claim 10, wherein the modifications are committed if it is determined that the file is safe.
  - 13. The computer program product of claim 1, the operations further comprising:
    - identifying results of the portion of system calls.
  - 14. The computer program product of claim 1, the operations further comprising:
    - returning the results of the portion of system calls for being used during the emulation.
  - 15. The computer program product of claim 1, further comprising an interface for providing access to the emulating.

16. A method, comprising:
- loading a file into a sandbox coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched;
  
  emulating instructions associated with the loaded file;
  
  identifying system calls resulting from the emulation;
  
  determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and
  
  receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation.

17. A system, comprising:
- a sandbox configured for receiving a loaded file, the sandbox being coupled to an operating system and configured for running suspicious executable code, wherein the sandbox replicates a host system that would otherwise receive the file and the sandbox includes code guards driven by a sandbox application program interface (API) that ensures certain portions of program code are not patched;
  
  logic for;
  
  emulating instructions associated with the loaded file and identifying system calls resulting from the emulation;
  
  determining whether the system calls include system calls that are at least potentially harmful, wherein the potentially harmful system calls are overridden, wherein a first portion of the system calls associated with a registry is redirected to a quarantine system for scanning using antivirus software, and wherein a second portion of the system calls associated with harmless system calls is passed to the operating system for direct execution; and
  
  receiving an instruction to revert to a previous clean state of the operating system based on detecting malware associated with the loaded file, wherein the clean state includes an application level snapshot of configuration data of an application that was saved between multiple sessions, said application level snapshot of configuration data being used during rollback implementation;
  
  a processor for executing the second portion of the system calls passed to the operating system.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein the processor is coupled to memory via a bus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Zhang, Zheng
Primary Examiner(s)
Craig, Dwin M
Assistant Examiner(s)
Louis, Andre Pierre

Application Number

US12/204,639
Time in Patent Office

1,503 Days
Field of Search

703/26
US Class Current

703/26
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/4484   Executing subprograms

G06F 9/455   Emulation; Interpretation; ...

Emulation system, method, and computer program product for passing system calls to an operating system for direct execution

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Emulation system, method, and computer program product for passing system calls to an operating system for direct execution

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links