Systems and methods for defeating malware with polymorphic software
First Claim
1. A system comprising:
- at least one processor, and memory including instruction information that, when executed by the at least one processor, cause the system to;
generate randomized relocatable image information, the generation of the randomized relocatable image information includes a randomization of a plurality of function information that is included in relocatable image information to generate the randomized relocatable image information, the plurality of function information includes a first function information, the first function information includes a first location that is used to enter the first function information, the generation of the randomized relocatable image information further includes an update of relative address information that is included in instruction information that is included in the randomized relocatable image information, the relative address information is utilized to enter the first function via the first location based on a new location of the first function in the randomized relocatable image information and the generation of the randomized relocatable image information being based on directive information to disable the randomizing of at least one part of the relocatable image information, the at least one part being identified by the directive information;
apply a base address to the randomized relocatable image information to generate randomized executable image information;
load the randomized executable image information into the memory; and
execute the randomized executable image information.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for defeating malware with polymorphic software are described. The system generates randomized relocatable image information by randomizing a plurality of function information that is included in relocatable image information. The plurality of function information includes a first function information. The first function information includes a first location that is used to enter the first function information. The randomizing further includes updating instruction information in the randomized relocatable image information. Updating the instruction information further includes updating relative address information utilized to enter the first function via the first location based on a new location of the first function in the randomized relocatable image information. The system further applies a base address to the randomized relocatable image information to generate randomized executable image information, loads the randomized executable image information into the memory, and executes the randomized executable image information.
-
Citations
20 Claims
-
1. A system comprising:
-
at least one processor, and memory including instruction information that, when executed by the at least one processor, cause the system to; generate randomized relocatable image information, the generation of the randomized relocatable image information includes a randomization of a plurality of function information that is included in relocatable image information to generate the randomized relocatable image information, the plurality of function information includes a first function information, the first function information includes a first location that is used to enter the first function information, the generation of the randomized relocatable image information further includes an update of relative address information that is included in instruction information that is included in the randomized relocatable image information, the relative address information is utilized to enter the first function via the first location based on a new location of the first function in the randomized relocatable image information and the generation of the randomized relocatable image information being based on directive information to disable the randomizing of at least one part of the relocatable image information, the at least one part being identified by the directive information; apply a base address to the randomized relocatable image information to generate randomized executable image information; load the randomized executable image information into the memory; and execute the randomized executable image information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method including:
-
generating randomized relocatable image information, the generating including; randomizing a plurality of function information that is included in relocatable image information to generate the randomized relocatable image information, the plurality of function information including a first function information, the first function information including a first location that is used to enter the first function information, the generation of the randomized relocatable image information being based on directive information to disable the randomizing of at least one part of the relocatable image information, the at least one part being identified by the directive information; updating instruction information in the randomized relocatable image information, the updating the instruction information including updating relative address information utilized to enter the first function via the first location based on a new location of the first function in the randomized relocatable image information; applying a base address to the randomized relocatable image information to generate randomized executable image information; loading the randomized executable image information into the memory; and executing the randomized executable image information. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory machine-readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform the following actions:
-
generating randomized relocatable image information, the generating including; randomizing a plurality of function information that is included in relocatable image information to generate the randomized relocatable image information, the plurality of function information including a first function information, the first function information including a first location that is used to enter the first function information, the generation of the randomized relocatable image information being based on directive information to disable the randomizing of at least one part of the relocatable image information, the at least one part being identified by the directive information; updating instruction information in the randomized relocatable image information, the updating the instruction information including updating relative address information utilized to enter the first function via the first location based on a new location of the first function in the randomized relocatable image information; applying a base address to the randomized relocatable image information to generate randomized executable image information; loading the randomized executable image information into the memory; and executing the randomized executable image information. - View Dependent Claims (20)
-
Specification