| CPC G06F 21/563 (2013.01) [G06F 21/53 (2013.01)] | 20 Claims |
|
1. A method comprising:
receiving, by a shadow replay box, a snapshot of a computer program executed by an operating system of a device, wherein the snapshot of the computer program comprises:
a sample of a memory space from a start time and at least one time period or function occurring prior to the start time of the sample; and
environment information;
mirroring, by the shadow replay box, an execution environment of the snapshot using the environment information;
determining, by the shadow replay box, a typical execution of the computer program comprising a first set of variables;
performing, at the shadow replay box, a static analysis on the received snapshot of the computer program to determine a second set of variables;
determining, at the shadow replay box, a divergence between the first set of variables and the second set of variables;
marking variables of the second set of variables that are associated with the divergence;
replaying, at the shadow replay box, a portion of the computer program corresponding to at least the snapshot; and
monitoring, by the shadow replay box, the marked variables of the second set of variables during the replaying of the portion of the computer program.
|