File extraction from memory dump for malicious content analysis

摘要

Techniques for malicious content detection using memory dump are described herein. According to one embodiment, a monitoring module is configured to monitor activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of one or more predetermined events triggered by the malicious content suspect, a memory dump module is configured to generate a memory dump of the malicious content suspect. An analysis module is configured to analyze the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.

主权项

1. A computer-implemented method for detecting malicious content, the method comprising:
monitoring, by a monitoring module executed by a processor, behavior of a malicious content suspect executed within a sandboxed operating environment, the sandboxed operating environment comprises a virtual machine that operates in accordance with an operating environment targeted by the malicious content suspect; in response to detection of one or more predetermined events from the monitored behavior that are triggered by the malicious content suspect, generating, by a memory dump module, a memory dump associated with the malicious content suspect; storing, within a storage device, a portion of data associated with the virtual machine, which includes one or more of (i) contents of the memory dump and (ii) the one or more predetermined events, in a directory accessible to a controller that is part of a virtual machine monitor (VMM); retrieving at least the contents of the memory dump via the directory; and analyzing, by an analysis module, at least the contents of the memory dump to determine whether the malicious content suspect should be declared as malicious based on a set of one or more rules.