Processing

Please wait...

Settings

Settings

Goto Application

1. WO2011068967 - HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION

Publication Number WO/2011/068967
Publication Date 09.06.2011
International Application No. PCT/US2010/058731
International Filing Date 02.12.2010
IPC
G06F 21/20 2006.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
20by restricting access to nodes in a computer system or computer network
G06F 7/493 2006.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
7Methods or arrangements for processing data by operating upon the order or content of the data handled
38Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
48using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
491Computations with decimal numbers
492using a binary weighted representation within each denomination
493the representation being the natural binary coded representation, i.e. 8421-code
G06F 13/14 2006.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
13Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
14Handling requests for interconnection or transfer
CPC
G06F 21/54
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
52during program execution, e.g. stack integrity ; ; Preventing unwanted data erasure; Buffer overflow
54by adding security routines or objects to programs
G06F 21/566
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
55Detecting local intrusion or implementing counter-measures
56Computer malware detection or handling, e.g. anti-virus arrangements
566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Applicants
  • MCAFEE, INC. [US]/[US] (AllExceptUS)
  • NOJIRI, Daisuke [JP]/[US] (UsOnly)
Inventors
  • NOJIRI, Daisuke
Agents
  • FRANZ, Paul E.
Priority Data
12/629,33002.12.2009US
Publication Language English (EN)
Filing Language English (EN)
Designated States
Title
(EN) HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION
(FR) ACCROCHAGE DE FONCTIONS NON EXPORTÉES GRÂCE AU DÉCALAGE D'UNE FONCTION
Abstract
(EN)
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier.
(FR)
L'invention a trait à des procédés, des systèmes et un appareil comprenant des programmes informatiques codés sur un support de stockage informatique et destinés à un programme malveillant ayant été obscurci. Selon un aspect de l'invention, un procédé consiste : à accéder à des données de décalage qui sont associées à un exécutable binaire et qui comprennent un décalage d'une fonction non exportée ; et à modifier les instructions au niveau du décalage. Selon un autre aspect de l'invention, un procédé consiste : à analyser une référence générée pour un exécutable binaire ; à identifier un identifiant unique correspondant à cet exécutable binaire ; à déterminer un décalage d'une fonction non exportée dans l'exécutable binaire ; et à générer des données de décalage incluant ledit décalage et ledit identifiant unique.
Also published as
Latest bibliographic data on file with the International Bureau