What technology area does this patent fall under?

Primary CPC classification G06F21/566. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Feb 22 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 11 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Detecting malware via scanning for dynamically generated function pointers in memory

US11256808B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11256808-B2
Application number	US-202016805478-A
Country	US
Kind code	B2
Filing date	Feb 28, 2020
Priority date	Nov 30, 2017
Publication date	Feb 22, 2022
Grant date	Feb 22, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Techniques for detecting malware via scanning for dynamically generated function pointers in memory are disclosed. In some embodiments, a system/process/computer program product for detecting malware via scanning for dynamically generated function pointers in memory includes monitoring changes in memory during execution of a malware sample in a computing environment; detecting a dynamically generated function pointer in memory based on an analysis of the monitored changes in memory during execution of the malware sample in the computing environment; and generating a signature based on detection of the dynamically generated function pointer in memory, wherein the malware sample was determined to be malicious.

First claim

Opening claim text (preview).

The invention claimed is: 1. A system, comprising: a processor configured to: perform dynamic analysis of a malware sample for detecting malware via scanning for dynamically generated function pointers in memory; monitor changes in memory during execution of a malware sample in a computing environment, wherein a plurality of pages in memory associated with a process launched by executing the malware sample are identified and monitored for changes during execution of the malware sample in the computing environment, and wherein the processor is further configured to: maintain a list of memory locations of accessible system functions; search the memory for the list of memory locations; periodically search the memory after predetermined execution events to detect any memory pointers in the memory; filter the memory locations where pointers to the system functions were detected in the memory to generate a set of system API function pointers; and automatically analyze the set of system API function pointers to determine whether the malware sample attempted to obfuscate suspicious or malicious behavior; detect a dynamically generated function pointer in memory based on an analysis of the monitored changes in memory during execution of the malware sample in the computing environment; and generate an interface that includes a graphical visualization of a plurality of pages in memory associated with a process launched during execution of the malware sample in a computing environment, wherein the graphical visualization of the plurality of pages in memory indicates detection of the dynamically generated function pointer associated with one or more of the plurality of pages in memory that were modified during execution of the malware sample; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system recited in claim 1 , wherein the computing environment comprises a virtual machine instance. 3. The system recited in claim 1 , wherein the processor is further configured to: identify, in the interface, one or more of the following: a system call event detected during execution of the malware sample in the computing environment; a time associated with a snapshot of the memory generated during the execution of the malware sample; and a type of memory associated with the one or more of the plurality of pages in memory that were modified during execution of the malware sample. 4. The system recited in claim 1 , wherein an output of the monitored changes in memory after a system call event during execution of the malware sample for a predetermined period of time in the computing environment is reassembled and analyzed to identify a potential malware binary, and wherein the potential malware binary is submitted for dynamic analysis and/or static analysis. 5. The system recited in claim 1 , wherein a plurality of pages in memory associated with a process launched by executing the malware sample are identified and monitored for changes after one or more system call events during execution of the malware sample for a predetermined period of time in the computing environment. 6. The system recited in claim 1 , wherein the processor is further configured to: receive a plurality of malware samples; and deduplicate the plurality of malware samples. 7. The system recited in claim 1 , wherein the processor is further configured to: receive a plurality of malware samples; deduplicate the plurality of malware samples to output a first malware sample; and execute the first malware sample in the computing environment. 8. The system recited in claim 1 , wherein the processor is further configured to: identify a plurality of pages in memory associated with a process launched by executing the malware sample in the computing environment; and perform an initial snapshot of all of the plurality of pages in memory associated with the process at initial time to and cache the initial snapshot of all of the plurality of pages in memory to provide a baseline for contents in memory while executing the malware sample in the computing environment. 9. The system recited in claim 1 , wherein the processor is further configured to: identify a plurality of pages in memory associated with a process launched by executing the malware sample in the computing environment; perform an initial snapshot of all of the plurality of pages in memory associated with the process at initial time t 0 and cache the initial snapshot of all of the plurality of pages in memory to provide a baseline for contents in memory while executing the malware sample in the computing environment; and perform a final snapshot of all of the plurality of pages in memory associated with the process at subsequent time t n after a predetermined period of time or after completion of execution of the malware sample in the computing environment. 10. The system recited in claim 1 , wherein the processor is further configured to: identify a plurality of pages in memory associated with a process launched by executing the malware sample in the computing environment; perform an initial snapshot of all of the plurality of pages in memory associated with the process at initial time t 0 and cache the initial snapshot of all of the plurality of pages in memory to provide a baseline for contents in memory while executing the malware sample in the computing environment; and perform another snapshot of all of the plurality of pages in memory associated with the process at subsequent time t n after a predetermined period of time or after a system call event if any return address in a call stack points to a memory address that has changed since the initial snapshot. 11. A method, comprising: performing dynamic analysis of a malware sample for detecting malware via scanning for dynamically generated function pointers in memory; monitoring changes in memory during execution of a malware sample in a computing environment, wherein a plurality of pages in memory associated with a process launched by executing the malware sample are identified and monitored for changes during execution of the malware sample in the computing environment, and wherein the processor is further configured to: maintaining a list of memory locations of accessible system functions; searching the memory for the list of memory locations; periodically searching the memory after predetermined execution events to detect any memory pointers in the memory; filtering the memory locations where pointers to the system functions were detected in the memory to generate a set of system API function pointers; and automatically analyzing the set of system API function pointers to determine whether the malware sample attempted to obfuscate suspicious or malicious behavior; detecting a dynamically generated function pointer in memory based on an analysis of the monitored changes in memory during execution of the malware sample in the computing environment; and generating an interface that includes a graphical visualization of a plurality of pages in memory associated with a process launched during execution of the malware sample in a computing environment, wherein the graphical visualization of the plurality of pages in memory indicates detection of the dynamically generated function pointer associated with one or more of the plurality of pages in memory that were modified during execution of the malware sample. 12. The method of claim 11 , wherein the computing environment comprises a virtual machine instance. 13. The method of claim 11 , further comprising: identifying, in the interface, one or more

Assignees

Palo Alto Networks Inc

Inventors

Jung Robert

Classifications

G06F21/52
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
G06F21/563
by source code analysis · CPC title
G06F11/3037
where the computing system component is a memory, e.g. virtual memory, cache (accessing, addressing or allocating within memory systems or architectures G06F12/00; checking stores for correct operation G11C29/00) · CPC title

Patent family

Related publications grouped by family.

View patent family 70285285

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11256808B2 cover?: Techniques for detecting malware via scanning for dynamically generated function pointers in memory are disclosed. In some embodiments, a system/process/computer program product for detecting malware via scanning for dynamically generated function pointers in memory includes monitoring changes in memory during execution of a malware sample in a computing environment; detecting a dynamically gen…
Who is the assignee on this patent?: Palo Alto Networks Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/566. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Feb 22 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 11 related publications on this page (citations in our corpus or others sharing the same primary CPC).