×

Method, computer program and computer for analyzing an executable computer file

  • US 8,479,174 B2
  • Filed: 03/30/2007
  • Issued: 07/02/2013
  • Est. Priority Date: 04/05/2006
  • Status: Active Grant
First Claim
Patent Images

1. A method of unpacking or decrypting an executable computer file in a malware scanner using a host computer having a hardware processor, the method comprising:

  • during emulation in a virtual memory on the host computer for malware detection;

    partitioning the executable computer file into plural basic blocks of code;

    creating at least a read page of a cache memory for at least some of the basic blocks, the read page of the cache memory storing a read cached real address corresponding to a read cached virtual memory address for a respective basic block, and creating at least a write page of the cache memory for at least some of the basic blocks, the write page of the cache memory storing a write cached real address corresponding to a write cached virtual memory address for a respective basic block;

    emulating the executable file by executing some basic blocks of code in the virtual memory on the host computer;

    checking, during the execution of said some basic blocks of code, at least one of the read page and the write page of the cache memory for a cached real address corresponding to the virtual address that is being accessed for a respective basic block of said some basic blocks of code;

    translating other basic blocks of code during the emulation into translated basic blocks of code that are functionally equivalent to said other basic blocks and which can be executed directly by the hardware processor of the host computer rather than by the virtual computer;

    linking at least some of the translated basic blocks of code in a real memory of the host computer; and

    executing at least some of the translated basic blocks of code on the host computer so as to enable the executable computer file to be unpacked or decrypted in the virtual memory, whereupon the unpacked or decrypted executable computer file can be analyzed to determine whether the executable computer file is or should be classed as malware.

View all claims
  • 11 Assignments
Timeline View
Assignment View
    ×
    ×