MONITORING EXECUTED SCRIPT FOR ZERO-DAY ATTACK OF MALWARE
First Claim
1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:
- execute script code by a script application programming interface (API);
detect, by a decoder, an event in the script code, the event comprising one of a memory call or an indirect branch call;
redirect an instruction pointer to a predetermined memory location, the predetermined memory location comprising malware monitoring code;
execute the malware monitoring code upon execution of a script application programming interface (API) redirection of the instruction pointer to the predetermined memory location;
identify, in a heap memory, script code loaded into the heap memory; and
evaluate, by the malware monitor, the script code in the heap memory for malicious code prior to execution of the script code.
10 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to hooking a call for a malware monitoring logic into a JavaScript API engine interpreter. Upon JavaScript being placed into heap memory, the malware monitoring logic can initiate an evaluation or analysis of the heap spray to determine whether the JavaScript includes malware or other malicious agents prior to execution of the JavaScript shell code. Upon execution of the JavaScript within the sandbox, the malware monitoring logic can initiate monitoring of the JavaScript using malware analysis and/or execution profiling techniques. Inferences can be made of the presence of malware based on a start and end time of the JavaScript execution.
13 Citations
24 Claims
-
1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:
-
execute script code by a script application programming interface (API); detect, by a decoder, an event in the script code, the event comprising one of a memory call or an indirect branch call; redirect an instruction pointer to a predetermined memory location, the predetermined memory location comprising malware monitoring code; execute the malware monitoring code upon execution of a script application programming interface (API) redirection of the instruction pointer to the predetermined memory location; identify, in a heap memory, script code loaded into the heap memory; and evaluate, by the malware monitor, the script code in the heap memory for malicious code prior to execution of the script code. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer implemented method comprising:
-
identifying one or more commands that when called trigger a instruction pointer redirection to a predetermined memory address; identifying the memory address to be redirected to if the one or more commands are called, the memory address comprising malware monitoring code; executing script code by a script application programming interface (API); detecting, by a decoder, an event in the script code, the event comprising one of a memory call or an indirect branch call; redirecting an instruction pointer to a predetermined memory location, the predetermined memory location comprising malware monitoring code; execute the malware monitoring code upon execution of a script application programming interface (API) redirection of the instruction pointer to the predetermined memory location; identifying, by the malware monitor, script code in a heap memory, the script code loaded into the heap memory by the script API; and evaluating, by the malware monitor, the script code in the heap memory for malicious code prior to execution of the script code. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computing system for zero-day malware detection comprising:
-
a script application programming interface (API) module implemented at least partially in hardware to load a script code into heap memory for execution; a decoder to identify one or more commands comprising one of a memory call or indirect branch and redirect an execution pointer to point to a predetermined memory location, the predetermined memory location pre-loaded with malware monitoring logic; a heap memory to dynamically store the script code; a malware monitoring logic preloaded into a predetermined memory location to identify the script code in the heap memory and evaluate the script code for malware prior to execution of the script code. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification