Detecting malicious software through process dump scanning
US7568233B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Apr 1, 2005 |
| Grant date | Jul 28, 2009 |
| Priority date | — |
| Expiry date | Aug 8, 2027 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/564
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
An executable file containing malicious software can be packed using a packer to make the software difficult to detect. The executable file is loaded into the computer's memory and executed as a process. A memory dump module analyzes the address space for the process and identifies an executable file image within it. The memory dump module creates a memory dump file on the computer's storage device containing the file image and modifies the file to make it resemble a normal executable file. A signature scanning module scans the memory dump file for signatures of malicious software. If a signature is found in the file, a reporting module sends the host file for the process and the memory dump file to a security server for analysis.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.