| 发明名称 |
Method, system and program product for optimizing emulation of a suspected malware |
| 摘要 |
A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware. |
| 申请公布号 |
US8826245(B2) |
申请公布日期 |
2014.09.02 |
| 申请号 |
US201313901480 |
申请日期 |
2013.05.23 |
| 申请人 |
International Business Machines Corporation |
发明人 |
Wu Ji Yan |
| 分类号 |
G06F9/45;G06F9/44;G06F21/56 |
主分类号 |
G06F9/45 |
| 代理机构 |
|
代理人 |
Samodovitz Arthur J. |
| 主权项 |
1. A method for optimizing emulation of a suspected malware program, the method comprising the steps of:
a computer identifying a first instruction in the suspected malware program that initiates a loop, and in response, the computer determining a length of the loop based at least in part on a number of times that the loop will be repeated, and if the length exceeds a predetermined threshold, generating a first hash value based at least in part on a hash of instructions in the loop; the computer identifying a second, subsequent instruction in the suspected malware program that initiates a loop, and in response, the computer determining a length of the loop initiated by the second instruction, based at least in part on a number of times that the loop initiated by the second instruction will be repeated, and if the length exceeds a predetermined threshold, generating a second hash value based at least in part on a hash of instructions within the loop initiated by the second instruction; and if the second hash value matches the first hash value, the computer bypassing the loop initiated by the second instruction, and if the second hash value does not match the first hash value, the computer executing the loop initiated by the second instruction. |
| 地址 |
Armonk NY US |
