Patent · US Active

Generic unpacking of program binaries

US10311233B2 · kind B2 · utility

0Cited by

2References

19Claims

0Family size

Assignee

McAfee, LLC · US

Inventors

Amit Malik · Palatine, US
Vikas Taneja · Redmond, US
Benjamin Cruz · Santa Clara, US

Key dates

Filing date	Dec 23, 2014
Grant date	Jun 4, 2019
Priority date	—
Expiry date	Dec 23, 2034

Classification

Technology area (CPC G)Physics
CPC primaryG06F2221/034
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

By hooking application programming interfaces in an execution environment, the return address for hooked application programming interface calls can be logged and used to determine when a packed binary has been unpacked. In one approach, memory allocations are detected and the return address is checked against the memory regions allocated. In another approach, the contents of memory at the return address in a pre-execution copy of the executable binary is compared with the contents of memory at the return address in the executing copy of the binary. This allows efficient detection of the completion of unpacking without knowledge of the unpacking technique. The unpacked binary may then be analyzed for possible malware.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.