US 11,675,905 B2
System and method for validating in-memory integrity of executable files to identify malicious activity
Joseph W. Desimone, Hanover, MD (US)
Assigned to Endgame, Inc., Arlington, VA (US)
Filed by Endgame, Inc., Arlington, VA (US)
Filed on Oct. 14, 2021, as Appl. No. 17/501,965.
Application 17/501,965 is a continuation of application No. 15/648,887, filed on Jul. 13, 2017, granted, now 11,151,251.
Prior Publication US 2022/0035918 A1, Feb. 3, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/56 (2013.01); G06F 21/55 (2013.01); H04L 9/40 (2022.01); G06F 9/54 (2006.01)
CPC G06F 21/566 (2013.01) [G06F 9/544 (2013.01); G06F 21/552 (2013.01); G06F 21/565 (2013.01); H04L 63/145 (2013.01); H04L 63/1416 (2013.01); H04L 63/1441 (2013.01)] 22 Claims
OG exemplary drawing
 
1. A method of validating an executable file to identify malware in a computing device comprising a processor, memory, non-volatile storage, an operating system, and a malicious code detection module, the method comprising:
identifying, by the malicious code detection module, a first executable file in the memory, the first executable file including: a first plurality of components that are not altered by the operating system when loaded into the memory;
identifying, by the malicious code detection module, a second executable file in the non-volatile storage, wherein the first executable file and the second executable file are associated with one another by the operating system;
determining that the second executable file has been compressed and/or encrypted using software packing;
determining whether the second executable file is capable of being unpacked;
unpacking the second executable file when the second executable file is capable of being unpacked;
comparing, by the malicious code detection module, a size of a first component of the first plurality of components of the first executable file and a size of a first component of a first plurality of components of the second executable file, wherein the comparing includes accounting for changes to the second executable file caused by the unpacking of the second executable file, and further wherein when the second executable file has not been compressed and/or encrypted using software packing, the changes need not be accounted for, and
generating an alert when the size of the first component of the first plurality of components of the first executable file and the size of the first component of the first plurality of components of the second executable file are different;
wherein the first component of the first plurality of components of the first executable file is less than the entirety of the first executable file and the first component of the first plurality of components of the second executable file is less than the entirety of the second executable file.