Method and system for detecting obfuscatory pestware in a computer memory
First Claim
Patent Images
1. A method for scanning a computer memory for obfuscatory pestware, comprising:
- examining, by a pestware detection module, an import address table (IAT) of an executable object in the computer memory to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the computer memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware;
locating, by the pestware detection module, the at least one subroutine within the executable object; and
searching, by the pestware detection module, for a predetermined check value at a known offset relative to an address, in the computer memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset.
9 Assignments
0 Petitions
Accused Products
Abstract
A method and system for detecting obfuscatory pestware in a computer memory is described. One illustrative embodiment identifies, within an executable object, a reference to a known procedure, the known procedure having a fixed address in the computer memory; and searches for a predetermined check value at a known offset relative to an address, in the computer memory, of the reference to the known procedure.
52 Citations
9 Claims
-
1. A method for scanning a computer memory for obfuscatory pestware, comprising:
-
examining, by a pestware detection module, an import address table (IAT) of an executable object in the computer memory to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the computer memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware; locating, by the pestware detection module, the at least one subroutine within the executable object; and searching, by the pestware detection module, for a predetermined check value at a known offset relative to an address, in the computer memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset. - View Dependent Claims (4, 7)
-
-
2. A system for detecting obfuscatory pestware, comprising:
-
a process; and a memory connected with the processor, the memory containing a plurality of program instructions executable by the processor, the plurality of program instructions including a pestware detection module to detect pestware on a computer, the pestware detection module being configured to cause the processor to; examine an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware; locate the at least one subroutine within the executable object; and search for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset. - View Dependent Claims (5, 8)
-
-
3. A non-transitory computer-readable storage medium containing program instructions to scan for obfuscatory pestware on a computer, comprising:
-
a first instruction segment of a pestware detection module that examines an import address table (IAT) of an executable object in a memory of the computer to identify at least one subroutine of the executable object that calls an application program interface (API), the API having a fixed address in the memory, the API being known to appear in a particular kind of polymorphic or metamorphic pestware; a second instruction segment of the pestware detection module that locates the at least one subroutine within the executable object; and a third instruction segment of the pestware detection module that searches for a predetermined check value at a known offset relative to an address, in the memory, at which the at least one subroutine calls the API, the predetermined check value identifying the executable object as the particular kind of polymorphic or metamorphic pestware when the check value is found at the known offset. - View Dependent Claims (6, 9)
-
Specification