| CPC G06F 21/566 (2013.01) [G06F 9/5016 (2013.01); G06F 21/554 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
|
1. An unpacking method performed by a computing system, the unpacking method comprising:
prior to a target process receiving control, executing a process loader hook on a process loader routine, the process loader routine configured to allocate memory for the target process prior to an execution period of the target process, the process loader hook executing comprising saving a map of memory which is allocated to the target process; and
during the execution period of the target process, performing at least one of the following:
detecting an additional allocation attempt of a memory portion to the target process and saving a description of the memory portion,
recognizing a change attempt in an execution permission of a memory portion that is allocated to the target process and saving a description of the memory portion, or
ascertaining that the target process is attempting to overwrite a memory portion that was allocated to the target process before the execution period of the target process and saving a description of the memory portion.
|