主权项 |
1. A method of detecting malicious software, the method comprising:
storing, by an analysis system, a memory baseline for a first system, the memory baseline including information stored in volatile memory of the first system and non-volatile memory of the first system; providing, by the analysis system, a file to the first system; executing, by the analysis system, the file on the first system using an operating system of the first system after the storing the memory baseline; terminating, by the analysis system, operation of the operating system of the first system after executing the file; storing, by the analysis system, a post-execution memory map of the first system while operation of the operating system of the first system is terminated, the post-execution memory map including information stored in the volatile memory of the first system and the non-volatile memory of the first system after the executing the file; analyzing, by the analysis system, the memory baseline and the post-execution memory map, wherein analyzing comprises:
determining the presence of one or more processes that changed from the memory baseline to the post-execution memory map,determining timestamps associated with the one or more processes, andidentifying behaviors that indicate attempts to conceal a rootkit during the operation of the operating system; determining that the file comprises malicious software based on the analyzing; determining a timeline of activities performed by the malicious software based on the timestamps; and providing a report of the malicious software including a list of the one or more processes that changed and the timeline. |