摘要 |
System, method and media are shown for detecting potentially malicious code by iteratively emulating potentially malicious code, that involve, for each offset of a memory image, emulating execution of an instruction at the offset on a first platform and, if execution fails, determining whether the instruction at the offset has relevance to at least a second platform and, if so, emulating execution of the instruction at the offset on the second platform. If execution succeeds, it involves checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Refinements involve applying this process to also determine aspects of information related to the target of any discovered code, malicious or otherwise. |
主权项 |
1. A method for detecting potentially malicious code by iteratively emulating potentially malicious code, the method comprising the steps of:
for each offset of a memory image:
emulating execution of an instruction at the offset on a first platform;if execution fails, determining whether the instruction at the offset has relevance to at least a second platform and, if so, emulating execution of the instruction at the offset on the second platform;if execution succeeds, checking the behavior of the executing code for suspect behavior; andidentifying the executing code as malicious code if suspect behavior is detected. |