主权项 |
1. A method of classifying software by a computing device, said method comprising:
receiving an executable file within the computing device, wherein it is unknown whether said executable file is malware; executing, by the computing device, said executable file within a virtualization environment of said computing device and creating a process identifier for said executing file; identifying, by the computing device, a graphical user interface program of said executable file during said execution by comparing said process identifier of said executing executable file with process identifiers of graphical user interface programs that are executing within said virtualization environment, said graphical user interface program including a plurality of windows; obtaining, by the computing device, position and dimension values for each of said windows from said graphical user interface program via a function; querying, by the computing device, a database with said position and dimension values of said executable file to determine whether said position and dimension values are present within said database, wherein said database comprises sets of position and dimension values, each of said sets including a label indicating a type of an executable file corresponding to said each of said sets; determining, by the computing device, whether a certain number of said position and dimension values of each of said windows match a set of position and dimension values within said database, wherein a match occurs if the position and dimension values of a window of each of said windows do not vary by more than a certain percentage from the set of position and dimension values within said database; and returning, by the computing device, a result regarding a classification of said executable file based upon said querying of said database, said result indicating whether said classification of said executable file is malware. |