| 发明名称 |
Emulating mixed-code programs using a virtual machine instance |
| 摘要 |
The subject disclosure is directed towards a technology for efficiently emulating program code that is protected by one or more various code virtualization techniques to detect the presence of malware. An emulation engine emulates a program containing a mix of native code, custom (e.g., virtualized obfuscated) code, and at least one emulator and/or interpreter that understands the custom code, by building a custom emulation component that is built by detecting and analyzing the internal emulator or interpreter. The custom emulation component may access a translation table built from the analysis, and also may simplify a plurality of instructions in the program into a lesser number of instructions in an intermediate language used for emulation. |
| 申请公布号 |
US9032526(B2) |
申请公布日期 |
2015.05.12 |
| 申请号 |
US201113106724 |
申请日期 |
2011.05.12 |
| 申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Wang Xun;Stepan Adrian Emil;Ebringer Timothy David |
| 分类号 |
G06F11/00;G06F21/56 |
主分类号 |
G06F11/00 |
| 代理机构 |
|
代理人 |
Haslam Brian;Allen Mike;Minhas Micky |
| 主权项 |
1. In a computing environment, a method performed at least in part on at least one computer processor, comprising:
processing program code to detect whether the program code includes malware, including determining whether the program code contains an internal emulator or interpreter, and if so, analyzing the internal emulator or interpreter to generate a custom emulator component; and using the custom emulator to translate custom bytecode language in the program code into an intermediate language for emulation. |
| 地址 |
Redmond WA US |
