Systems and methods to scan memory for a threat

摘要

A computer-implemented method to scan memory for a threat is described. At least one application programming interface (API) is monitored. A back-trace operation is performed from the at least one API to identify a process that called the at least one API. An address in memory is retrieved for the identified process. At least a portion of the memory associated with the address of the identified process is scanned. A signature based on the scanned portion of the memory is generated.

主权项

1. A computer-implemented method to scan memory for a threat, comprising:
monitoring, by a processor, at least one application programming interface (API); performing, by the processor, a back-trace operation from the at least one API to identify a process that called the at least one API; retrieving, by the processor, an address in memory for the identified process; decrypting an encrypted form of shellcode or unpacking a packed form of malware; storing the decrypted form of shellcode or the unpacked form of malware in a storage medium; retrieving, by the processor, at least one signature from a database, wherein the retrieved signature comprises a signature of the decrypted shellcode or the unpacked malware; scanning, by the processor, at least a portion of the memory; upon determining that the scanned memory matches the at least one retrieved signature, blocking, by the processor, the execution of the identified process; and upon determining that the scanned memory does not match the at least one retrieved signature, generating, by the processor, a signature based on the scanned portion of the memory associated with the address of the identified process.