Emulator updating system and method
Abstract
One embodiment includes a method and computer program product for distributing and/or receiving a first emulator extension with respect to an emulator capable of performing an emulation using emulation code. The first emulator extension includes program instructions that aid in the process of emulating in order to detect potentially unwanted computer software. Such program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the potentially unwanted computer software within the suspect code. In use, an emulation is performed using the first emulator extension and the suspect code. The emulation is performed within an insulated environment in a computer system so that the computer system is insulated from potentially unwanted actions of the suspect code.
Claims
exact text as granted — not AI-modified1 . A method for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the method comprising:
receiving suspect code; loading the suspect code into an emulator buffer within a data space of a computer system; loading a first emulator extension into an emulator that performs an emulation using emulation code and the first emulator extension, the first emulator extension including program instructions that aid in a process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulation code, for assisting the emulation code in the emulation; performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation.
2 . The method of claim 1 , wherein loading the first emulator extension into the emulator includes loading the first emulator extension into the emulator buffer within the emulator; and
wherein performing the emulation includes emulating the program instructions that comprise the first emulator extension.
3 . The method of claim 2 , wherein emulating the program instructions that comprise the first emulator extension causes the emulator to examine the suspect code looking for patterns that indicate that the suspect code is likely to exhibit malicious behavior.
4 . The method of claim 2 , wherein emulating the program instructions that comprise the first emulator extension causes the program instructions within the first emulator extension to facilitate emulation of the suspect code.
5 . The method of claim 1 , further comprising emulating the suspect code prior to loading the first emulator extension into the emulator buffer.
6 . The method of claim 1 , further comprising:
loading a second emulator extension into the emulator; and performing a second emulation using the second emulator extension and the suspect code.
7 . The method of claim 6 , wherein the first emulator extension and the second emulator extension provide support for conflicting emulator environments.
8 . The method of claim 1 , wherein loading the first emulator extension involves loading the first emulator extension from a database containing a plurality of different emulator extensions.
9 . The method of claim 1 , wherein the first emulator extension includes code for decrypting an encrypted computer virus and other encrypted malicious code.
10 . The method of claim 1 , further comprising if a computer virus or other malicious software is detected within the suspect code, disinfecting the suspect code.
11 . The method of claim 1 , wherein the first emulator extension facilitates emulating a non-standard computer instruction opcode.
12 . The method of claim 1 , wherein the first emulator extension facilitates emulating an uncommonly used operating system call.
13 . A tangible computer-readable storage medium storing a computer program product, the computer program product comprising:
computer code for receiving suspect code; computer code for loading the suspect code into an emulator buffer within a data space of a computer system; computer code for loading a first emulator extension into an emulator that performs an emulation using emulation code and the first emulator extension, the first emulator extension including program instructions that aid in a process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulation code, for assisting the emulation code in the emulation; computer code for performing the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and computer code for determining whether the suspect code is likely to exhibit malicious behavior based upon the emulation.
14 . The computer-readable storage medium of claim 13 , wherein loading the first emulator extension into the emulator includes loading the first emulator extension into the emulator buffer within the emulator; and
wherein performing the emulation includes emulating the program instructions that comprise the first emulator extension.
15 . The computer-readable storage medium of claim 14 , wherein emulating the program instructions that comprise the first emulator extension causes the emulator to examine the suspect code looking for patterns that indicate that the suspect code is likely to exhibit malicious behavior.
16 . The computer-readable storage medium of claim 14 , wherein emulating the program instructions that comprise the first emulator extension causes the program instructions within the first emulator extension to facilitate emulation of the suspect code.
17 . The computer-readable storage medium of claim 13 , wherein the method further comprises emulating the suspect code prior to loading the first emulator extension into the emulator buffer.
18 . The computer-readable storage medium of claim 13 , wherein the method further comprises:
loading a second emulator extension into the emulator; and performing a second emulation using the second emulator extension and the suspect code.
19 . The computer-readable storage medium of claim 18 , wherein the first emulator extension and the second emulator extension provide support for conflicting emulator environments.
20 . An apparatus that emulates computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code, the apparatus comprising:
a processor; a loading mechanism that is configured to load suspect code into an emulator buffer within a data space of a computer system; wherein the loading mechanism is additionally configured to load a first emulator extension into an emulator that performs an emulation using emulation code and the first emulator extension, the first emulator extension including program instructions that aid in a process of emulating the suspect code in order to detect a computer virus and/or malicious software, wherein the program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation; an emulation mechanism that is configured to perform the emulation using the first emulator extension, the emulation code and the suspect code, the emulation being performed within an insulated environment in the computer system so that the computer system is insulated from malicious actions of the suspect code; and a determination mechanism that is configured to determine whether the suspect code is likely to exhibit malicious behavior based upon the emulation.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.