Enforcing the execution exception to prevent packers from evading the scanning of dynamically created code
First Claim
1. A computer program product for protecting a host computer system against dynamically unpacked malicious code, the computer program product comprising a non-transitory computer-readable storage medium containing executable computer program code for:
- detecting an attempt by a program to write to a memory page on the host computer system;
responsive to detecting the attempt to write to the memory page, marking the memory page to be writable but non-executable to allow the program to write to the memory page;
detecting a request from the program to change the memory page to be executable;
preventing the memory page from being changed to be executable responsive to detecting the request from the program;
detecting an attempt by the program to execute code written to the memory page by the program, the execution attempt distinct from the request from the program to change the memory page to be executable;
responsive to detecting the attempt to execute code on the memory page, before executing the code on the memory page, scanning the memory page for malicious code; and
marking the memory page to be executable if the scanning does not find malicious code on the memory page.
5 Assignments
0 Petitions
Accused Products
Abstract
To detect possible malicious code that is unpacked at runtime before it is executed, antivirus software requires that any dynamically created code be scanned before it can be executed by a host computer system. This requirement may be enforced by requiring memory pages to be either executable or writable, but not both. Before changing from writable but not executable to executable but not writable, the page is scanned for malicious code. To prevent packers from evading this scanning, the software may enforce the execution exception to prevent packers from changing whether a page is executable and thereby evading the scanning of dynamically created code. The software may also include exception handlers to allow a program to write to a page that contains the code being executed, but also limit such an operation (e.g., to a single step) to avoid evasion of the antivirus software.
235 Citations
19 Claims
-
1. A computer program product for protecting a host computer system against dynamically unpacked malicious code, the computer program product comprising a non-transitory computer-readable storage medium containing executable computer program code for:
-
detecting an attempt by a program to write to a memory page on the host computer system; responsive to detecting the attempt to write to the memory page, marking the memory page to be writable but non-executable to allow the program to write to the memory page; detecting a request from the program to change the memory page to be executable; preventing the memory page from being changed to be executable responsive to detecting the request from the program; detecting an attempt by the program to execute code written to the memory page by the program, the execution attempt distinct from the request from the program to change the memory page to be executable; responsive to detecting the attempt to execute code on the memory page, before executing the code on the memory page, scanning the memory page for malicious code; and marking the memory page to be executable if the scanning does not find malicious code on the memory page. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method for protecting a host computer system against dynamically unpacked malicious code, the method comprising:
-
detecting an attempt by a program to write to a memory page on the host computer system; responsive to detecting the attempt to write to the memory page, marking the memory page to be writable but non-executable to allow the program to write to the memory page; detecting a request from the program to change the memory page to be executable; preventing the memory page from being changed to be executable responsive to detecting the request from the program; detecting an attempt by the program to execute code written to the memory page by the program, the execution attempt distinct from the request from the program to change the memory page to be executable; responsive to detecting the attempt to execute code on the memory page, before executing the code on the memory page, scanning the memory page for malicious code; and marking the memory page to be executable if the scanning does not find malicious code on the memory page. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer program product for protecting a host computer system against dynamically unpacked malicious code, the computer program product comprising a non-transitory computer-readable storage medium containing executable computer program code for:
-
enforcing a mutual exclusion requirement for a set of memory pages on the host computer system, the mutual exclusion requirement requiring that each of the set of memory pages cannot be both executable and writeable at the same time; executing a set of instructions for a program contained on a first memory page of the set of memory pages, a page protection of the first memory page set to be executable but not writeable, wherein the set of instructions includes a write instruction to write to the first memory page; setting a single step execution before passing control to the program; changing the page protection of the first memory page to be writeable and executable to allow the write instruction to be executed; passing control to the program to execute the write instruction; intercepting the single step execution after the write instruction is executed by the program; and changing the page protection of the first memory page to be executable and not writable after the write instruction is executed. - View Dependent Claims (17, 18, 19)
-
Specification