The patent badge is an abbreviated version of the USPTO patent document. The patent badge does contain a link to the full patent document.
The patent badge is an abbreviated version of the USPTO patent document. The patent badge covers the following: Patent number, Date patent was issued, Date patent was filed, Title of the patent, Applicant, Inventor, Assignee, Attorney firm, Primary examiner, Assistant examiner, CPCs, and Abstract. The patent badge does contain a link to the full patent document (in Adobe Acrobat format, aka pdf). To download or print any patent click here.
Patent No.:
Date of Patent:
Feb. 26, 2013
Filed:
Feb. 04, 2008
Michael S. Jarrett, Kirkland, WA (US);
Adrian M Marinescu, Sammamish, WA (US);
Marius Gheorghe Gheorghescu, Redmond, WA (US);
George C. Chicioreanu, Redmond, WA (US);
Michael S. Jarrett, Kirkland, WA (US);
Adrian M Marinescu, Sammamish, WA (US);
Marius Gheorghe Gheorghescu, Redmond, WA (US);
George C. Chicioreanu, Redmond, WA (US);
Microsoft Corporation, Redmond, WA (US);
Abstract
An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.