| 摘要 |
An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220'') of the host file (220) in the virtual machine (216) are reflected to a back-up file (220') in the computer system (202).
|
