Shellcode detection
First Claim
Patent Images
1. A computerized method, comprising:
- instantiating an instance of an application within a virtual machine, the application for executing an object;
allocating a first region of memory to the virtual machine for use in execution of the object with the application;
responsive to detecting one or more characteristics of a heap spray attack within a sequence of bytes within the first region of memory, allocating a second region of memory to the virtual machine, wherein the first region of memory is a first virtual heap and the second region of memory is a second virtual heap different than the first virtual heap;
copying the sequence of bytes from the first region of memory to the second region of memory;
beginning execution, by the virtual machine, of the copy of the sequence of bytes stored in the second region of memory; and
monitoring the execution of the copy of the sequence of bytes to detect characteristics of anomalous behavior.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically determine whether one or more objects included in received network traffic contains a heap spray attack. Upon detection of a potential heap spray attack, the dynamic analysis engine may copy potential shellcode within an object included in the received network traffic, insert the copy of the potential shellcode into a second region of allocated memory and analyze the execution of the potential shellcode to determine whether characteristics associated with an exploit are present.
629 Citations
29 Claims
-
1. A computerized method, comprising:
-
instantiating an instance of an application within a virtual machine, the application for executing an object; allocating a first region of memory to the virtual machine for use in execution of the object with the application; responsive to detecting one or more characteristics of a heap spray attack within a sequence of bytes within the first region of memory, allocating a second region of memory to the virtual machine, wherein the first region of memory is a first virtual heap and the second region of memory is a second virtual heap different than the first virtual heap; copying the sequence of bytes from the first region of memory to the second region of memory; beginning execution, by the virtual machine, of the copy of the sequence of bytes stored in the second region of memory; and monitoring the execution of the copy of the sequence of bytes to detect characteristics of anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module includes logic to; instantiate an instance of an application within a virtual machine, the application for executing an object; allocate a first region of memory to the virtual machine for use in execution of the object with the application; responsive to detecting one or more characteristics of a heap spray attack within a sequence of bytes within the first region of memory, allocate a second region of memory to the virtual machine, wherein the first region of memory is a first virtual heap and the second region of memory is a second virtual heap different than the first virtual heap; copy the sequence of bytes from the first region of memory to the second region of memory; begin execution, by the virtual machine, of the copy of the sequence of bytes stored in the second region of memory; and monitor the execution of the copy of the sequence of bytes to detect one or more characteristics of anomalous behavior. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification