Please download the dossier by clicking on the dossier button x
×

System and method for below-operating system regulation and control of self-modifying code

  • US 9,392,016 B2
  • Filed: 07/10/2014
  • Issued: 07/12/2016
  • Est. Priority Date: 03/29/2011
  • Status: Active Grant
First Claim
Patent Images

1. An article of manufacture, comprising:

  • a non-transitory computer readable medium;

    computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;

    trap, at a higher priority than all operating systems of the electronic device, an attempted access to a particular memory location in memory of the electronic device, the attempted access indicating a presence of self-modifying malware, the electronic device including one or more operating systems;

    record information associated with the attempted access in a history in response to trapping the attempted access to memory;

    analyze information in the history associated with the particular memory location to determine suspicious behavior with respect to the particular memory location, wherein analyzing information includes;

    identifying suspicious behavior based on information in the history indicating that content at a first memory location was copied to a second location, modified at the second location, and subsequently executed at the second location;

    identifying suspicious behavior based on whether information in the history indicates attempted execution of content at a third memory location and a fourth memory location, wherein each of the third and fourth memory locations have a common ancestor at a fifth location; and

    identifying suspicious behavior based on whether information in the history indicates content at the particular memory location has ancestors at a plurality of other memory locations;

    initiate corrective action in response to determining suspicious behavior respect to the particular memory location;

    determine whether the particular memory location has been affected by malware; and

    initiate further corrective action in response to determining that the particular memory location has been affected by malware, comprising at least one of;

    disallowing execution of content associated with the particular memory location, reversing changes to the content in the history, repairing the content, replacing the content with harmless content, and disabling a process associated with the content.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×