摘要 |
The executions of computer viruses are analyzed to develop register signatures for the viruses. The register signatures specify the sets of outputs the viruses produce when executed with a given set of inputs. A virus detection system (VDS) ( 400 ) holds a database ( 430 ) of the register signatures. The VDS ( 400 ) selects ( 710 ) a file that might contain a computer virus and identifies potential entry points in the file. The VDS ( 400 ) uses a virtual machine ( 422 ) having an initial state to emulate ( 714 ) a relatively small number of instructions at each entry point. While emulating each potential entry point, the VDS builds ( 716 ) a register table that tracks the state of a subset of the virtual registers ( 428 ). Once the VDS ( 400 ) reaches an emulation breakpoint, it analyzes the register table in view of the register signatures to determine whether the file contains a virus.
|