System and method for analyzing packed files
First Claim
1. A method for analyzing executable files on a computer, comprising:
- initiating, with an operating system of the computer, execution of a loader-process, wherein the loader-process has a memory space controlled by the loader-process;
loading, using the loader-process, code of a first executable file into the memory space;
executing the code of the first executable file in the memory space of the loader-process, wherein the code of the first executable file unpacks other packed code to generate unpacked code, the unpacked code including at least one system call;
analyzing the unpacked code to assess whether the first executable file is a pestware file;
enumerating dynamic link libraries (DLLS) that have been loaded by the operating system for the loader-process;
patching at least one export address table of a dynamic link library (DLL) associated with the loader-process so that the patched export address table refers the unpacked code loaded by the loader-process back to code associated with the loader module instead of functions provided by the operating system;
patching at least a portion of a function that at least one export address table points to so that the patched function refers an attempted access by a pestware process back to the loader-process, wherein at least one or more of a patched function and a patched DLL points to a location outside of the loader-process but within the loader-process'"'"'s address space;
executing the unpacked code in the memory space of the loader-process;
routing, in response to determining the at least one system call is safe, the at least one system call of the unpacked code from the memory space of the loader-process to the operating system of the computer for execution while the unpacked code is executed by the loader-process; and
clearing the memory space of the loader-process while maintaining the loader-process in a memory of the computer.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for analyzing executable files on a computer is described. The method in one embodiment includes initiating, with an operating system of the computer, execution of a loader-process; loading, using the loader-process, code of a first executable file into an executable-memory of the computer; and executing the code of the first executable file, wherein the code of the first executable file unpacks other packed-code to generate unpacked code. In addition, the loader-process executes the unpacked code and stops execution of the unpacked code in response to the unpacked code attempting to make a potentially dangerous system call. The unpacked code is analyzed, in response to the unpacked code attempting to make the potentially dangerous system call, to assess whether the first executable file is a pestware file.
63 Citations
19 Claims
-
1. A method for analyzing executable files on a computer, comprising:
-
initiating, with an operating system of the computer, execution of a loader-process, wherein the loader-process has a memory space controlled by the loader-process; loading, using the loader-process, code of a first executable file into the memory space; executing the code of the first executable file in the memory space of the loader-process, wherein the code of the first executable file unpacks other packed code to generate unpacked code, the unpacked code including at least one system call; analyzing the unpacked code to assess whether the first executable file is a pestware file; enumerating dynamic link libraries (DLLS) that have been loaded by the operating system for the loader-process; patching at least one export address table of a dynamic link library (DLL) associated with the loader-process so that the patched export address table refers the unpacked code loaded by the loader-process back to code associated with the loader module instead of functions provided by the operating system; patching at least a portion of a function that at least one export address table points to so that the patched function refers an attempted access by a pestware process back to the loader-process, wherein at least one or more of a patched function and a patched DLL points to a location outside of the loader-process but within the loader-process'"'"'s address space; executing the unpacked code in the memory space of the loader-process; routing, in response to determining the at least one system call is safe, the at least one system call of the unpacked code from the memory space of the loader-process to the operating system of the computer for execution while the unpacked code is executed by the loader-process; and clearing the memory space of the loader-process while maintaining the loader-process in a memory of the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 17)
-
-
10. A system for analyzing a packed file stored on a computer comprising:
-
a processor configured to execute a loader module; a memory space controlled by the loader module, wherein the loader module cooperating with the memory space performs the following steps; executes a file unpacker in the memory space of the loader module, wherein the file unpacker, when executed by the loader module, unpacks the packed file to generate unpacked code; executes the unpacked code in the memory space of the loader module; assesses a system call from the unpacked code and, if the system call is safe, routes the system call from the unpacked code from the memory space of the loader module to the operating system for execution while the unpacked code is executed by the loader module; enumerates dynamic link libraries (DLLS) that have been loaded by the operating system for the loader-process; patches at least one export address table of a dynamic link library (DLL) associated with the loader module so that the patched export address table refers the unpacked code loaded by the loader module back to code associated with the loader module instead of functions provided by the operating system; patches at least a portion of a function that at least one export address table points to so that the patched function refers an attempted access by a pestware process back to the loader module, wherein at least one or more of a patched function and a patched DLL points to a location outside of the loader-process but within the loader-process'"'"'s address space; and clears the memory space of the loader-process while maintaining the loader-process in a memory of the computer; and a detection module that analyzes the unpacked code after the unpacked code is executed by the loader module. - View Dependent Claims (11, 12, 18)
-
-
13. A non-transitory, processor-readable medium including instructions for analyzing executable files on a computer, the instructions comprising instructions for:
-
initiating, with an operating system of the computer, execution of a loader-process, wherein the loader-process has an address space controlled by the loader process; loading, using the loader-process, code of a first executable file into the related address space of the loader-process; executing the code of the first executable file in the address space of the loader-process, wherein the code of the first executable file unpacks other packed-code to generate unpacked code, the unpacked code including at least one system call; analyzing the unpacked code, in response to the unpacked code attempting to make the at least one system call, to assess whether the first executable file is a pestware file; enumerating dynamic link libraries (DLLS) that have been loaded by the operating system for the loader-process; patching at least one export address table of a dynamic link library (DLL) associated with the loader-process so that the patched export address table refers the unpacked code loaded by the loader-process back to code associated with the loader module instead of functions provided by the operating system; patching at least a portion of a function that at least one export address table points to so that the patched function refers an attempted access by a pestware process back to the loader-process, wherein at least one or more of a patched function and a patched DLL points to a location outside of the loader-process but within the loader-process'"'"'s address space; executing the unpacked code in the address space of the loader-process; routing, in response to determining the at least one system call is safe, the at least on system call of the unpacked code from the address space of the loader-process to the operating system of the computer for execution while the unpacked code is executed by the loader-process; and clearing the memory space of the loader-process while maintaining the loader-process in a memory of the computer. - View Dependent Claims (14, 15, 16, 19)
-
Specification