Tracking memory mapping to prevent packers from evading the scanning of dynamically created code
US8104089B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Dec 31, 2007 |
| Grant date | Jan 24, 2012 |
| Priority date | — |
| Expiry date | Aug 12, 2030 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/566
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
To detect possible malicious code that is unpacked at runtime before it is executed, antivirus software requires that any dynamically created code be scanned before it can be executed by a host computer system. This requirement may be enforced by requiring memory pages to be either executable or writable, but not both. Before changing from writable but not executable to executable but not writable, the page is scanned for malicious code. To prevent packers from evading this scanning, a countermeasure tracks the memory mapping in the host system to enforce consistency in the protection settings for all memory spaces that are mapped to the same physical memory page.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.