System, method, and computer program product for determining whether code is unwanted based on the decompilation thereof

US 8,601,451 B2
Filed: 08/29/2007
Issued: 12/03/2013
Est. Priority Date: 08/29/2007
Status: Active Grant

First Claim

Patent Images

1. A processor implemented method, comprising:

identifying code;

decompiling the code using a virus scanner of a security system, wherein the decompiling is an intermediate decompiling and the intermediate decompiling is based on tracing calls in the code or tracing jumps in the code;

determining whether the code is unwanted, based on the decompiled code, wherein a determination is made that the code is unwanted if a hash of a first portion of the decompiled code matches a predetermined threshold percentage associated with a first hash of known unwanted code, and wherein the determining includes comparing interdependencies of portions of the decompiled code to interdependencies of portions of the known unwanted code;

identifying a second portion of the decompiled code to which the first portion of the decompiled code depends, if it is determined that the hash of the first portion of the decompiled code matches the first hash of known unwanted code;

determining whether a hash of the second portion of the decompiled code matches a second hash of known unwanted code; and

updating a dissimilarity score associated with an amount of dissimilarity between the hash of the second portion of the decompiled code and the second hash of known unwanted code if it is determined that the hash of the second portion of the decompiled code does not match the second hash of known unwanted code.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for determining whether code is unwanted based on the decompilation thereof. In use, code is identified and the code is decompiled. In addition, it is determined whether the code is unwanted, based on the decompiled code.

23 Citations

View as Search Results

20 Claims

1. A processor implemented method, comprising:
- identifying code;
  
  decompiling the code using a virus scanner of a security system, wherein the decompiling is an intermediate decompiling and the intermediate decompiling is based on tracing calls in the code or tracing jumps in the code;
  
  determining whether the code is unwanted, based on the decompiled code, wherein a determination is made that the code is unwanted if a hash of a first portion of the decompiled code matches a predetermined threshold percentage associated with a first hash of known unwanted code, and wherein the determining includes comparing interdependencies of portions of the decompiled code to interdependencies of portions of the known unwanted code;
  
  identifying a second portion of the decompiled code to which the first portion of the decompiled code depends, if it is determined that the hash of the first portion of the decompiled code matches the first hash of known unwanted code;
  
  determining whether a hash of the second portion of the decompiled code matches a second hash of known unwanted code; and
  
  updating a dissimilarity score associated with an amount of dissimilarity between the hash of the second portion of the decompiled code and the second hash of known unwanted code if it is determined that the hash of the second portion of the decompiled code does not match the second hash of known unwanted code.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the code includes object code.
  - 3. The method of claim 1, wherein the code is determined to be unwanted, if the decompiled code at least approximately matches known unwanted code.
  - 4. The method of claim 1, wherein a portion of the decompiled code is indexed into a hash table utilizing a hash of the portion of the decompiled code.
  - 5. The method of claim 1, wherein a similarity score is updated, if a hash of a portion of the decompiled code matches a hash of known unwanted code.
  - 6. The method of claim 5, wherein the similarity score is updated based on a strength of the match.
  - 7. The method of claim 1, wherein a similarity score is updated, if it is determined that the hash of the second portion of the decompiled code matches the second hash of known unwanted code.

8. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- identifying code;
  
  decompiling the code using a virus scanner of a security system, wherein the decompiling is an intermediate decompiling and the intermediate decompiling is based on tracing calls in the code or tracing jumps in the code;
  
  determining whether the code is unwanted, based on the decompiled code, wherein a determination is made that the code is unwanted if a hash of a first portion of the decompiled code matches a predetermined threshold percentage associated with a first hash of known unwanted code, and wherein the determining includes comparing interdependencies of portions of the decompiled code to interdependencies of portions of the known unwanted code;
  
  identifying a second portion of the decompiled code to which the first portion of the decompiled code depends, if it is determined that the hash of the first portion of the decompiled code matches the first hash of known unwanted code;
  
  determining whether a hash of the second portion of the decompiled code matches a second hash of known unwanted code; and
  
  updating a dissimilarity score associated with an amount of dissimilarity between the hash of the second portion of the decompiled code and the second hash of known unwanted code if it is determined that the hash of the second portion of the decompiled code does not match the second hash of known unwanted code.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein the code includes object code.
  - 10. The computer program product of claim 8, wherein the code is determined to be unwanted, if the decompiled code at least approximately matches known unwanted code.
  - 11. The computer program product of claim 8, wherein a portion of the decompiled code is indexed into a hash table utilizing a hash of the portion of the decompiled code.
  - 12. The computer program product of claim 8, wherein a similarity score is updated, if a hash of a portion of the decompiled code matches a hash of known unwanted code.
  - 13. The computer program product of claim 12, wherein the similarity score is updated based on a strength of the match.
  - 14. The computer program product of claim 8, wherein a similarity score is updated, if it is determined that the hash of the second portion of the decompiled code matches the second hash of known unwanted code.

15. A system, comprising:
- a processor, where the system is configured for;
  
  identifying code;
  
  decompiling the code using a virus scanner of a security system, wherein the decompiling is an intermediate decompiling and the intermediate decompiling is based on tracing calls in the code or tracing jumps in the code;
  
  determining whether the code is unwanted, based on the decompiled code, wherein a determination is made that the code is unwanted if a hash of a first portion of the decompiled code matches a predetermined threshold percentage associated with a first hash of known unwanted code, and wherein the determining includes comparing interdependencies of portions of the decompiled code to interdependencies of portions of the known unwanted code;
  
  identifying a second portion of the decompiled code to which the first portion of the decompiled code depends, if it is determined that the hash of the first portion of the decompiled code matches the first hash of known unwanted code;
  
  determining whether a hash of the second portion of the decompiled code matches a second hash of known unwanted code; and
  
  updating a dissimilarity score associated with an amount of dissimilarity between the hash of the second portion of the decompiled code and the second hash of known unwanted code if it is determined that the hash of the second portion of the decompiled code does not match the second hash of known unwanted code.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the code is determined to be unwanted, if the decompiled code at least approximately matches known unwanted code.
  - 17. The system of claim 15, wherein a portion of the decompiled code is indexed into a hash table utilizing a hash of the portion of the decompiled code.
  - 18. The system of claim 15, wherein a similarity score is updated, if a hash of a portion of the decompiled code matches a hash of known unwanted code.
  - 19. The system of claim 18, wherein the similarity score is updated based on a strength of the match.
  - 20. The system of claim 15, wherein a similarity score is updated, if it is determined that the hash of the second portion of the decompiled code matches the second hash of known unwanted code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bartram, Anthony V., Dunbar, Adrian M. M. T., Hearnden, Steve O.
Primary Examiner(s)
Dao, Thuy
Assistant Examiner(s)
Smith, Cheneca

Application Number

US11/847,162
Publication Number

US 20130246370A1
Time in Patent Office

2,288 Days
Field of Search

None
US Class Current

717/146
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 8/53   Decompilation; Disassembly

System, method, and computer program product for determining whether code is unwanted based on the decompilation thereof

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for determining whether code is unwanted based on the decompilation thereof

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links