US 12,079,338 B2
System and method of fileless malware detection and non-transitory computer readable medium
Fu-Hau Hsu, Taichung (TW); Teng-Chuan Hsiao, New Taipei (TW); and Chia-Hao Lee, Miaoli County (TW)
Assigned to National Central University, Taoyuan (TW)
Filed by National Central University, Taoyuan (TW)
Filed on Mar. 24, 2021, as Appl. No. 17/210,527.
Claims priority of application No. 110104905 (TW), filed on Feb. 9, 2021.
Prior Publication US 2022/0253528 A1, Aug. 11, 2022
Int. Cl. G06F 21/56 (2013.01); G06F 21/51 (2013.01)
CPC G06F 21/565 (2013.01) [G06F 21/51 (2013.01); G06F 21/568 (2013.01)] 12 Claims
OG exemplary drawing
 
1. A system of fileless malware detection, and the system comprising:
a memory; and
a processor electrically connected to the memory, and the processor configured to execute a check program for:
intercepting an execution of a writable section in the memory;
extracting an executable code corresponding to the execution from the writable section;
analyzing whether the executable code is malicious;
when an instruction is the execution, checking whether a NX bit (No execute bit) in a PTE (Page Table Entry) is 1;
when the NX bit is checked as 1, triggering a page fault exception, and then determining whether a virtual memory area corresponding to the instruction is writable in response to that the page fault exception is triggered;
determining whether the virtual memory area is marked as executable in response to determining that the virtual memory area is writable; and
restoring the NX bit to 0 so as to restore the PTE in a normal state in response to determining that the virtual memory area is marked as executable, packaging a program code corresponding to the instruction from the virtual memory area into an ELF (Executable and Linkable Format) File to be scanned through a virus scanning software to generate a scan result, and determining whether the instruction can be executed according to the scan result.