US 9,811,663 B2
Generic unpacking of applications for malware detection
Deepak Gupta, Beaverton, OR (US)
Assigned to McAfee, Inc., Santa Clara, CA (US)
Filed by McAfee, Inc., Santa Clara, CA (US)
Filed on Sep. 16, 2016, as Appl. No. 15/267,983.
Application 15/267,983 is a continuation of application No. 13/838,663, filed on Mar. 15, 2013, granted, now 9,471,783.
Prior Publication US 2017/0004308 A1, Jan. 5, 2017
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/00 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/562 (2013.01) [G06F 21/564 (2013.01); G06F 21/566 (2013.01)] 25 Claims
OG exemplary drawing
1. A non-transitory computer-readable medium on which is stored software for unpacking a self-extracting executable, comprising instructions that when executed cause one or more processing units to:
load the self-extracting executable into memory, the self-extracting executable comprising a first unpacking stub and a packed executable;
allow the first unpacking stub to unpack the packed executable into an unpacked executable;
detect an attempt to write to a memory page in which code was previously executed, by controlling memory page access permissions using hardware assisted virtualization;
detect completion of unpacking the packed executable by the first unpacking stub using one or more heuristics; and scan the unpacked executable for malware, wherein the one or more heuristics comprise:
determining whether a write to a memory page that generates a page write exception is a write to a last page of a section of memory pages.