System and method for the programmatic runtime de-obfuscation of obfuscated software utilizing virtual machine introspection and manipulation of virtual machine guest memory permissions
First Claim
Patent Images
1. A method to de-obfuscate obfuscated malicious software code in a virtual machine, the method comprising:
- enumerating a first physical page associated with a virtual address space of a first piece of analyzed software code;
setting the first physical page to non-writable;
detecting a write to the first physical page; and
enumerating a second physical page following (i) a change in virtual address space allocation, and (ii) cessation of execution of the first piece of analyzed software,wherein,programmatic control of the virtual machine is provided via instrumentation.
10 Assignments
0 Petitions
Accused Products
Abstract
A system and method operable to programmatically perform runtime de-obfuscation of obfuscated software via virtual machine introspection and manipulation of virtual machine guest memory permissions.
-
Citations
24 Claims
-
1. A method to de-obfuscate obfuscated malicious software code in a virtual machine, the method comprising:
-
enumerating a first physical page associated with a virtual address space of a first piece of analyzed software code; setting the first physical page to non-writable; detecting a write to the first physical page; and enumerating a second physical page following (i) a change in virtual address space allocation, and (ii) cessation of execution of the first piece of analyzed software, wherein, programmatic control of the virtual machine is provided via instrumentation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system to de-obfuscate obfuscated malicious software in a virtual machine, the system comprising:
-
an analysis engine configured to update a physical page status and save the physical page status to memory upon an occurrence of at least one of (i) execution of an instruction associated with a first physical page, and (ii) setting of a physical page permission to not executable, wherein, the analysis engine is configured to enumerate a second physical page following (i) a change in virtual address space allocation, and (ii) cessation of execution of a first piece of analyzed software, and programmatic control of the virtual machine is provided via instrumentation. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A system for de-obfuscating obfuscated malicious software in a virtual machine, the system comprising:
-
a hardware processor; and a storage medium communicatively coupled to the processor, the storage medium comprises an analysis engine configured to (a) update a physical page status and save the physical page status upon at least either (i) execution of an instruction associated with a first physical page or (ii) setting of a physical page permission to not executable, and (b) enumerate a second physical page following (i) a change in virtual address space allocation, and (ii) cessation of execution of a first piece of analyzed software. - View Dependent Claims (21, 22, 23, 24)
-
Specification