公开(公告)号：US08484732B1

公开(公告)日：2013-07-09

申请号：US13364012

申请日：2012-02-01

申请人： Xuebin Chen ,  Xiaochuan Wan ,  Min Zhang ,  Xinfeng Liu

发明人： Xuebin Chen ,  Xiaochuan Wan ,  Min Zhang ,  Xinfeng Liu

IPC分类号： G06F21/00

CPC分类号： G06F21/53

摘要： Computers are protected against virtual machine exploits. A computer includes an exploit monitor for a virtual machine running in the computer. Loading of a virtual machine program in the virtual machine triggers the exploit monitor to modify the virtual machine program after the virtual machine program is loaded in the virtual machine but before the virtual machine program is executed in the virtual machine. The modification includes adding monitoring code, such as one or more checkpoints, in the virtual machine program. When the monitoring code is reached during execution of the virtual machine program in the virtual machine, the virtual machine program is evaluated to determine whether or not the virtual machine program is a virtual machine exploit.

摘要翻译： 计算机受到虚拟机攻击的保护。 计算机包括在计算机中运行的虚拟机的漏洞监视器。 在虚拟机中加载虚拟机程序将在虚拟机程序加载到虚拟机中之后但在虚拟机中执行虚拟机程序之前触发利用监视器来修改虚拟机程序。 该修改包括在虚拟机程序中添加诸如一个或多个检查点的监视代码。 当在虚拟机中执行虚拟机程序期间达到监视代码时，评估虚拟机程序以确定虚拟机程序是否为虚拟机漏洞。

公开(公告)号：US09355246B1

公开(公告)日：2016-05-31

申请号：US14098488

申请日：2013-12-05

申请人： Xiaochuan Wan ,  Ben Huang ,  Xuebin Chen ,  Xiaodong Huang ,  Hailiang Fan

发明人： Xiaochuan Wan ,  Ben Huang ,  Xuebin Chen ,  Xiaodong Huang ,  Hailiang Fan

IPC分类号： G06F11/00 ,  G06F21/53 ,  H04L29/06

CPC分类号： G06F21/53 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441

摘要： An emulator on a host computer includes a static analysis module that analyzes executable code of a suspicious sample to determine whether the code identifies that a particular packing program (packer) has packed the sample. Once identified, a custom configuration file is generated that identifies particular API hooks or instructions that should be disabled (or enabled) so that the sample file cannot use these hooks or instructions to detect that it is executing within an emulator. The emulator (such as a virtual machine or sandbox) is configured using the configuration file. The suspicious sample is then executed and its behaviors are collected. The sample is prevented from detecting that it is operating within an emulator and thus prevented from terminating prematurely. Malicious behaviors are scored and a total score indicates whether or not the suspicious sample is malicious or not. Static analysis identifies signatures, instructions or strings.

摘要翻译： 主计算机上的仿真器包括静态分析模块，其分析可疑样本的可执行代码，以确定代码是否识别特定打包程序（打包程序）已打包样本。 一旦识别出来，就会生成一个自定义配置文件，该文件标识特定的API钩子或应禁用（或启用）的指令，以便样本文件不能使用这些钩子或指令来检测它在仿真器中的执行情况。 使用配置文件配置仿真器（如虚拟机或沙盒）。 然后执行可疑样本，并收集其行为。 防止样品检测其在仿真器内操作，从而防止过早终止。 恶意行为得分，总分表示可疑样本是否恶意。 静态分析识别签名，指令或字符串。

公开(公告)号：US09239922B1

公开(公告)日：2016-01-19

申请号：US13794400

申请日：2013-03-11

申请人： Xuewen Zhu ,  Xinfeng Liu ,  Xuebin Chen ,  Qiang Huang

发明人： Xuewen Zhu ,  Xinfeng Liu ,  Xuebin Chen ,  Qiang Huang

IPC分类号： G06F21/56 ,  G06F21/55

CPC分类号： G06F21/56 ,  G06F21/55 ,  G06F21/564

摘要： An application document known to include malware (such as a document exploit) is opened and executed by its corresponding software application. Behaviors of this document (such as registry, file system, network and process) are monitored and recorded using internal software drivers and hook modules. A behavior report is generated and a baseline pattern is created including a number of regular expressions. A suspicious document of the same type as the monitored document is opened and executed by the same corresponding software application. Behaviors are monitored in the same way and a behavior report is generated. This behavior report is compared to the baseline pattern and a determination is made as to whether a document exploit is present. Known benign documents may also be opened, monitored and their behavior recorded, resulting in creation of a known benign pattern for the corresponding software application.

摘要翻译： 已知包括恶意软件（例如文档漏洞）的应用程序文档由相应的软件应用程序打开并执行。 使用内部软件驱动程序和挂钩模块监视和记录本文档的行为（如注册表，文件系统，网络和进程）。 生成行为报告，并创建一个基准模式，其中包含许多正则表达式。 与受监控文档相同类型的可疑文档由相同的相应软件应用程序打开和执行。 以相同的方式监视行为，并生成行为报告。 将该行为报告与基线模式进行比较，并确定文档漏洞是否存在。 已知的良性文件也可能被打开，监视并记录其行为，导致为相应的软件应用程序创建已知的良性模式。