主权项 |
1. A method of detecting malicious software, the method comprising:
storing, by an analysis system, a memory baseline for a first system, the memory baseline including information stored in volatile memory of the first system and non-volatile memory of the first system; executing, by the analysis system, a file on the first system using an operating system of the first system after the storing the memory baseline; storing, by the analysis system, a post-execution memory map of the first system, the post-execution memory map including information stored in the volatile memory of the first system and the non-volatile memory of the first system after the executing the file; analyzing, by the analysis system, the memory baseline and the post-execution memory map, wherein analyzing comprises:
determining the presence of one or more processes that changed from the memory baseline to the post-execution memory map,determining timestamps associated with the one or more processes, andidentifying behaviors that indicate attempts to conceal a rootkit during the operation of the operating system; determining, by the analysis system, that the file comprises malicious software based on the analyzing; determining, by the analysis system, a timeline of activities performed by the malicious software based on the timestamps; and reporting, by the analysis system, the malicious software including a list of the one or more processes that changed and the timeline. |