System and method for detection of malicious code in the address space of processes

1 . A method for detecting malicious code in an address space of a process comprising: detecting a launching of a trusted process from a trusted executable file executing on a computer system; detecting access to a suspicious address within a suspicious memory area in an address space of the trusted process, wherein the suspicious memory area is a memory area that lies outside the boundaries of the trusted executable image representing the trusted executable file and is an executable memory area; analyzing one or more memory areas within a vicinity of the suspicious address space in the computer system to determine whether another executable image representing another executable file is located in the one or more memory areas; analyzing the another executable image to determine whether the another executable image contains malicious code; concluding malicious code is contained in the address space of the trusted process when the another executable image contains malicious code; and performing one of removing, halting or quaranting the malicious code from the address space of the trusted process. 2 . The method of claim 1 , wherein detecting the launching comprises: intercepting a function that launches the process; determining identifying information for the process; and determining and accessing the address space associated with suspicious acitivity based on the identifying information. 3 . The method of claim 1 , further comprising: concluding the one or more memory areas to be suspicious when the one or more memory areas do not contain trusted areas. 4 . The method of claim 3 , wherein the trusted areas comprise one or more of: a vicinity of the executable image in the address space; a vicinity of an image of a known executable file; and a vicinity of a known address in the address space. 5 . The method of claim 4 , wherein the vicinity is within a first predetermined number of bytes from a starting address of the executable image and a second predetermined numner of bytes from an end address of the executable image. 6 . The method of claim 4 , further comprising: determining boundaries of a vicinity of the executable image by querying for page information regarding the memory areas. 7 . The method of claim 1 , wherein detecting access to the address space comprises: detecting whether a memory address in the address space is present in a memory area reserved for a stack of the trusted process. 8 . The method of claim 7 , further comprising: searching for an address on the stack using a function call to access information regarding a thread on which the process is executing. 9 . The method of claim 1 , wherein access to the address space comprises: calling one or more of the functions: “CreateThread”, “CreateProcess” and “WriteFile”. 10 . The method of claim 9 , wherein detecting the access comprises: establishing a callback procedure for calling each of the one or more functions. 11 . A system for detecting malicious code comprising: a malicious code signature database containing signatures of malicious code; and a computer system comprising: an intercept module configured to: detect a launching of a trusted process from a trusted executable file executing on a computer system; detect access to a suspicious address within a suspicious memory area in an address space of the trusted process, wherein the suspicious memory area is a memory area that lies outside the boundaries of a trusted executable image representing the trusted executable file and is an executable memory area; analyze one or more memory areas within a vicinity of the suspicious address space in the computer system to determine whether another executable image representing another executable file is located in the one or more memory areas; and a security module configured to: determine that malicious code is contained in the address space of the process when the another executable image contains malicious code; and performe one of remove, halt or quarantine the malicious code from the address space of the trusted process. 12 . The system of claim 11 , wherein the intercept module is configured to detect the launching by: intercepting a function that launches the process; determining identifying information for the process; and determining and accessing the address space associated with suspicious acitivity based on the identifying information. 13 . The system of claim 11 , wherein the security module is further configured to: conclude that the one or more memory areas are suspicious when the one or more memory areas do not contain trusted areas. 14 . The system of claim 13 , wherein the trusted areas comprise one or more of: a vicinity of the executable image in the address space; a vicinity of an image of a known executable file; and a vicinity of a known address in the address space. 15 . The system of claim 14 , wherein the vicinity is within a first predetermined number of bytes from a starting address of the executable image and a second predetermined numner of bytes from an end address of the executable image. 16 . The system of claim 14 , wheren the intercept module is further configured to: determine boundaries of a vicinity of the executable image by querying for page information regarding the memory areas. 17 . The system of claim 11 , wherein the the intercept module is configured to detect access to the address space by: detecting whether a memory address in the address space is present in a memory area reserved for a stack of the trusted process. 18 . The system of claim 17 , wherein the intercept module is further configured to: search for an address on the stack by using a function call to access information regarding a thread on which the process is executing. 19 . The system of claim 11 , wherein access to the address space comprises: calling one or more of the functions: “CreateThread”, “CreateProcess” and “WriteFile”. 20 . The system of claim 19 , further comprising: detecting the access to the address space by one or more of: using a driver; and establishing a callback procedure for calling each of the one or more functions. 21 . A computer-readable medium, storing theron instructions that when executed by a processor perfor a method for detecting malicious code comprising: detecting a launching of a trusted process from a trusted executable file executing on a computer system; detecting access to a suspicious address space within a suspicious memory area in an address space of the trusted process, wherein the suspicious memory area is a memory area that lies outside the boundaries of the trusted executable image representing the trusted executable file and is an executable memory area; analyzing one or more memory areas within a vicinity of the suspicious the address space in the computer system to determine whether another executable image representing another executable file is located in the one or more memory areas; analyzing the another executable image to determine whether the another executable image contains malicious code; concluding malicious code is contained in the address space of the trusted process when the another executable image contains malicious code; and performing one of removing, halting or quaranting the malicious code from the address space of the trusted process.