Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2006-06-22
2010-10-12
Revak, Christopher A (Department: 2431)
Information security
Monitoring or scanning of software or data including attack...
C719S328000
Reexamination Certificate
active
07814544
ABSTRACT:
An executable program including packed code is launched in an API-monitored environment, such as a sandboxed environment, in which each call to an API issued by the executable program is intercepted. A packer API profile list including one or more packer API profiles identifying associated sets of one or more APIs utilized by an associated known packer to unpack packed code is accessed. The executable program is allowed to run so long as the executable program issues calls to APIs within an API set of a packer API profile in the packer API profile list. When the executable program issues a call to an API not within an API set of a packer API profile in said packer API profile list, the packed code is assumed to be unpacked in memory as a memory image. The memory image is evaluated, e.g., scanned, for malicious code, and upon detection of malicious code, protective action is taken.
REFERENCES:
patent: 6192512 (2001-02-01), Chess
patent: 6775780 (2004-08-01), Muttik
patent: 6931540 (2005-08-01), Edwards et al.
patent: 7134142 (2006-11-01), Smith
patent: 7349931 (2008-03-01), Horne
patent: 7526805 (2009-04-01), Chu et al.
patent: 7559091 (2009-07-01), Chu et al.
patent: 7577997 (2009-08-01), Chu et al.
patent: 2003/0074573 (2003-04-01), Hursey et al.
patent: 2003/0115479 (2003-06-01), Edwards et al.
patent: 2003/0196103 (2003-10-01), Edwards et al.
patent: 2003/0233566 (2003-12-01), Kouznetsov et al.
patent: 2004/0015712 (2004-01-01), Szor
patent: 2004/0209608 (2004-10-01), Kouznetsov et al.
patent: 2005/0108562 (2005-05-01), Khazan et al.
patent: 2005/0154900 (2005-07-01), Muttik
patent: 2005/0172337 (2005-08-01), Bodorin et al.
patent: 2006/0179484 (2006-08-01), Scrimsher et al.
patent: 2009/0126017 (2009-05-01), Chahal
John Ogness, Dazuko: An Open Solution to Facilitatre ‘On-Access’ Scanning, Sep. 2003, Virus Bulletin Conference, pp. 1-5.
Nachenberg, C., U.S. Appl. No. 10/404,756, filed Mar. 31, 2003, entitled “Function Call Initiated Memory Scanning and Stack State Analysis System and Method” (27 pages, 4 shts).
Abril, Eduardo, “Unpacking by Code Injection”, CodeBreakers Journal, vol. 1, Issue 1, Mar. 2006, pp. 1-27 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/view/17/17>.
Evron, Gadi, “Vulnerability Development: Re: unpacking UPX or PE-packed binaries”, posting of Apr. 23, 2004, pp. 1-3 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://seclists.org/lists/vuln-dev/2004/Apr/0026.html>.
Heller, Thomas, “[Python-Dev] an idea for improving struct.unpack api”, posting of Jan. 6, 2005, pp. 1-2 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://mail.python.org/pipermail/python-dev/2005-January/050735.html>.
No author given, “PE Explorer UPX Unpacker Plug-in”, pp. 1-2 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://www.heaventools.com/PE—Explorer—plug-ins.htm>.
No author given, “Security Alert”, Jan. 13, 2006, pp. 1-2 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://securityreason.com/securityalert/342>.
No author given, “Unpacker win 32”, pp. 1-4 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://www.freedownloadscenter.com/Best/unpacker-win32.html>.
Abril, Eduardo, “Unpacking by Code Injection”, CodeBreakers Journal, vol. 1, Issue 1, Mar. 2006, pp. 1-27 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/view/17/17>.
Evron, Gadi, “Vulnerability Development: Re: unpacking UPX or PE-packed binaries”, posting of Apr. 23, 2004, pp. 1-3 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://seclists.org/lists/vuln-dev/2004/Apr/0026.html>.
Heller, Thomas, “[Python-Dev] an idea for improving struct.unpack api”, posting of Jan. 6, 2005, pp. 1-2 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://mail.python.org/pipermail/python-dev/2005-January/050735.html>.
No author given, “PE Explorer UPX Unpacker Plug-in”, pp. 1-2 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://www.heaventools.com/PE—Explorer—plug-ins.htm>.
No author given, “Security Alert”, Jan. 13, 2006, pp. 1-2 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://securityreason.com/securityalert/342>.
No author given, “Unpacker win 32”, pp. 1-4 [online]. Retrieved on May 31, 2006. Retrieved from the Internet:<URL:http://www.freedownloadscenter.com/Best/unpacker-win32.html>.
Almamun Abdullah
Gunnison Forrest
Gunnison McKay & Hodgson, L.L.P.
Revak Christopher A
Symantec Corporation
LandOfFree
API-profile guided unpacking does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with API-profile guided unpacking, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and API-profile guided unpacking will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4206703