Methods of identifying heap spray attacks using memory anomaly detection
US10430586B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Sep 7, 2016 |
| Grant date | Oct 1, 2019 |
| Priority date | — |
| Expiry date | May 30, 2037 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/034
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
A non-transitory storage medium including instructions that are executable by one or more processors to perform operations including instrumenting a VM is shown. The VM is used to process an object to determine whether the object is associated with malware. Logic within the VM analyzes memory allocated for a process within the VM for a point of interest (POI), the POI being an address of one of a set predetermined instructions likely to be associated with malware. The VMM detects a memory violation during processing of the object and responsive to detecting the memory violation, injects a transition event at the POI on the page on which the POI is located in memory. Further, responsive to detecting an attempted execution of the transition event, the VMM (i) emulates an instruction located at the POI, and (ii) the logic within the VM performs one or more malware detection routines.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.