Certains contenus de cette application ne sont pas disponibles pour le moment.
Si cette situation persiste, veuillez nous contacter àObservations et contact
1. (WO2017003601) DÉTECTION DE CODE DE COMMANDES
Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

CLAIMS:

1. At least one machine readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

monitor code as it executes, wherein the code includes self-modifying code; and log the event if the self-modifying code occurred in a GetPC address region.

2. The at least one machine readable medium of Claim 1, comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

analyze the code for malware.

3. The at least one machine readable medium of any of Claims 1 and 2, comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

seed a poison GetPC address in the GetPC address region.

4. The at least one machine readable medium of Claim 3, wherein the poison GetPC address causes a memory fault.

5. The at least one machine readable medium of Claim 1, comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

log the event if it is determine that a memory fault exception occurred during translation and the memory fault translation matches with an invalid address.

6. The at least one machine readable medium of Claim 1, further comprising one or more instructions that when executed by at least one processor, further cause the at least processor to:

communicate the code to a security module if the self-modifying code occurred in a GetPC address region.

7. The at least one machine-readable medium of Claim 1, further comprising one or more instructions that when executed by at least one processor, further cause the at least processor to:

determine if an exception occurred during a translation of the code; and

log the event if the exception occurred at an invalid address.

8. The at least one machine-readable medium of Claim 1, further comprising one or more instructions that when executed by at least one processor, further cause the at least processor to:

communicate the code to a security module if the code is in a writeable memory region.

9. An apparatus comprising:

an execution profiling binary translation module configured to:

monitor code as it executes, wherein the code includes self-modifying code; and

log the event if the self-modifying code occurred in a GetPC address region.

10. The apparatus of Claim 9, wherein the apparatus further includes:

a security module configured to:

analyze the code for malware.

11. The apparatus of any of Claims 9 and 10, wherein the execution profiling binary translation module is further configured to:

seed a poison GetPC address in the GetPC address region.

12. The apparatus of Claim 11, wherein the poison GetPC address causes a memory fault.

13. The apparatus of Claim 9, wherein the execution profiling binary translation module is further configured to:

log the event if it is determine that a memory fault exception occurred during translation and the memory fault translation matches with an invalid address.

14. The apparatus of Claim 9, wherein the execution profiling binary translation module is further configured to:

communicate the code to a security module if the self-modifying code occurred in a GetPC address region.

15. The apparatus of Claim 9, wherein the execution profiling binary translation module is further configured to:

determine if an exception occurred during a translation of the code; and

log the event if the exception occurred at an invalid address.

16. The apparatus of Claim 9, wherein the execution profiling binary translation module is further configured to:

communicate the code to a security module if the code is in a writeable memory region.

17. A method comprising:

monitoring code as it executes, wherein the code includes self-modifying code; and logging the event if the self-modifying code occurred in a GetPC address region.

18. The method of Claim 17, further comprising:

analyzing the code for malware.

19. The method of any of Claims 17 and 18, further comprising:

seeding a poison GetPC address in the GetPC address region.

20. The method of Claim 19, wherein the poison GetPC address causes a memory fault.

21. The method of Claim 17, further comprising:

logging the event if it is determine that a memory fault exception occurred during translation and the memory fault translation matches with an invalid address.

22. The method of Claim 17, further comprising:

communicating the code to a security module if the self-modifying code occurred in a GetPC address region.

23. The method of Claim 17, further comprising:

determining if an exception occurred during a translation of the code; and logging the event if the exception occurred at an invalid address.

24. A system for detecting shellcode, the system comprising:

an execution profiling binary translation module configured for:

monitoring code as it executes, wherein the code includes self-modifying code; and

logging the event if the self-modifying code occurred in a GetPC address region.

25. The system of Claim 24, wherein the execution profiling binary translation module is further configured for:

seeding a poison GetPC address in the GetPC address region.