- Patent Title: System and method for programmatic runtime de-obfuscation of obfuscated software utilizing virtual machine introspection and manipulation of virtual machine guest memory permissions
-
Application No.: US15284200Application Date: 2016-10-03
-
Publication No.: US10380343B1Publication Date: 2019-08-13
- Inventor: Robert Jung , Antony Saba
- Applicant: FireEye, Inc.
- Applicant Address: US CA Milpitas
- Assignee: FireEye, Inc.
- Current Assignee: FireEye, Inc.
- Current Assignee Address: US CA Milpitas
- Agency: Rutan & Tucker, LLP
- Main IPC: G06F21/56
- IPC: G06F21/56 ; G06F9/455
Abstract:
A system and method for performing runtime de-obfuscation of obfuscated malicious software code in a virtual machine is described. According to one embodiment, the method involves enumerating a first physical page associated with a first virtual address space of a first piece of analyzed software code. Herein, the first virtual address space is a portion of a virtual address space associated with the virtual machine. Thereafter, the first physical page is set a non-writable permission. Hence, upon detection of a write to the first physical page by the first piece of analyzed software code, a determination can be made that the first piece of analyzed software code may be categorized as malicious software code.
Information query
