A portable executable file is analyzed by parsing a binary image of the portable executable file to generate a parsed field. An attribute of the parsed field is determined. The attribute of the parsed field is compared to a valid characteristic of a valid corresponding field based upon, at least in
A portable executable file is analyzed by parsing a binary image of the portable executable file to generate a parsed field. An attribute of the parsed field is determined. The attribute of the parsed field is compared to a valid characteristic of a valid corresponding field based upon, at least in part, a portable executable file format specification. It is determined if the attribute of the parsed field matches the valid characteristic of the valid corresponding field.
대표청구항▼
1. A computer implemented method comprising: prior to execution of a binary image of a portable executable file format: parsing, by a computing device, the binary image of the portable executable file format to generate a parsed field;determining, by the computing device, an attribute of the parsed
1. A computer implemented method comprising: prior to execution of a binary image of a portable executable file format: parsing, by a computing device, the binary image of the portable executable file format to generate a parsed field;determining, by the computing device, an attribute of the parsed field;comparing, by the computing device, the attribute of the parsed field to a valid characteristic of a valid corresponding field specified by a portable executable file format specification;determining, by the computing device, if the attribute of the parsed field matches the valid characteristic of the valid corresponding field specified by the portable executable file format specification, wherein determining if the attribute of the parsed field matches the valid characteristic of the valid corresponding field specified by the portable executable file format specification includes determining, by the computing device, if the attribute of the parsed field is valid for a predetermined operating system;identifying, by the computing device, if the parsed field does not match the valid characteristic of the valid corresponding field; anddetermining, by the computing device, a likelihood of modifying the parsed field that does not match the valid characteristic of the valid corresponding field to generate a valid field based upon, at least in part, one or more empirically determined rules, wherein the empirically determined rules are based upon, at least in part, possible errors that occur in the parsed field and a number of modifications to implement to correct each possible error. 2. The computer implemented method of claim 1, wherein the parsed field includes one or more of a portable executable format signature, an ImageBase field, a SizeOfImage field, a FileAlignment field, a SectionAlignment field, an EntryPoint address, an import table, an import address table, an export table, a relocation table, a resource table, a thread local storage table, a load configuration table, a bound import table, a COM table, and a portable executable section table. 3. The computer implemented method of claim 1, wherein the attribute of the parsed field includes a field identifier. 4. The computer implemented method of claim 1, wherein the attribute of the parsed field includes a field length. 5. The computer implemented method of claim 1, wherein the attribute of the parsed field includes a field content. 6. The computer implemented method of claim 1, wherein the predetermined operating system includes a Windows operating system. 7. The computer implemented method of claim 1, further comprising determining, by the computing device, if the binary image of the portable executable file format includes a dynamic link library, a kernel driver, or an executable object. 8. A computer program product comprising a non-transitory computer readable medium having a plurality of instructions stored thereon, which, when executed by a processor, cause the processor to perform operations comprising: prior to execution of a binary image of a portable executable file format: parsing the binary image of the portable executable file format to generate a parsed field;determining an attribute of the parsed field;comparing the attribute of the parsed field to a valid characteristic of a valid corresponding field specified by a portable executable file format specification;determining if the attribute of the parsed field matches the valid characteristic of the valid corresponding field specified by the portable executable file format specification, wherein determining if the attribute of the parsed field matches the valid characteristic of the valid corresponding field specified by the portable executable file format specification includes determining if the attribute of the parsed field is valid for a predetermined operating system;identifying if the parsed field does not match the valid characteristic of the valid corresponding field; anddetermining a likelihood of modifying the parsed field that does not match the valid characteristic of the valid corresponding field to generate a valid field based upon, at least in part, one or more empirically determined rules, wherein the empirically determined rules are based upon, at least in part, possible errors that occur in the parsed field and a number of modifications to implement to correct each possible error. 9. The computer program product of claim 8, wherein the parsed field includes one or more of a portable executable format signature, an ImageBase field, a SizeOfImage field, a FileAlignment field, a SectionAlignment field, an EntryPoint address, an import table, an import address table, an export table, a relocation table, a resource table, a thread local storage table, a load configuration table, a bound import table, a COM table, and a portable executable section table. 10. The computer program product of claim 8, wherein the attribute of the parsed field includes a field identifier. 11. The computer program product of claim 8, wherein the attribute of the parsed field includes a field length. 12. The computer program product of claim 8, wherein the attribute of the parsed field includes a field content. 13. The computer program product of claim 8, wherein the predetermined operating system includes a Windows operating system. 14. The computer program product of claim 8, wherein the operations further comprise determining if the binary image of the portable executable file format includes a dynamic link library, a kernel driver, or an executable object. 15. A system comprising: a processor;a memory coupled with the processor;prior to execution of a binary image of a portable executable file format: a first software module executable by the processor and the memory, the first software module configured to parse the binary image of the portable executable file format to generate a parsed field;a second software module executable the by processor and the memory, the second software module configured to determine an attribute of the parsed field;a third software module executable by the processor and the memory, the third software module configured to compare the attribute of the parsed field to a valid characteristic of a valid corresponding field specified by a portable executable file format specification;a fourth software module executable by the processor and the memory, the fourth software module configured to determine if the attribute of the parsed field matches the valid characteristic of the valid corresponding field specified by the portable executable file format specification, wherein determining if the attribute of the parsed field matches the valid characteristic of the valid corresponding field specified by the portable executable file format specification includes determining if the attribute of the parsed field is valid for a predetermined operating system;a fifth software module executable by the processor and the memory, the fifth software module configured to identify if the parsed field does not match the valid characteristic of the valid corresponding field; anda sixth software module executable by the processor and the memory, the sixth software module configured to determine a likelihood of modifying the parsed field that does not match the valid characteristic of the valid corresponding field to generate a valid field based upon, at least in part, one or more empirically determined rules, wherein the empirically determined rules are based upon, at least in part, possible errors that occur in the parsed field and a number of modifications to implement to correct each possible error. 16. The system of claim 15, wherein the parsed field includes one or more of a portable executable format signature, an ImageBase field, a SizeOfImage field, a FileAlignment field, a SectionAlignment field, an EntryPoint address, an import table, an import address table, an export table, a relocation table, a resource table, a thread local storage table, a load configuration table, a bound import table, a COM table, and a portable executable section table. 17. The system of claim 15, wherein the attribute of the parsed field includes a field identifier. 18. The system of claim 15, wherein the attribute of the parsed field includes a field length. 19. The system of claim 15, wherein the attribute of the parsed field includes a field content. 20. The system of claim 15, wherein the predetermined operating system includes a Windows operating system. 21. The system of claim 15, further comprising a seventh software module executable by the processor and the memory, the seventh software module configured to determine if the binary image of the portable executable file format includes a dynamic link library, a kernel driver, or an executable object.
Furgerson Donald F. (Murrysville PA), Computer monitored or controlled system which may be modified and de-bugged on-line by one not skilled in computer progr.
Robert G. Atkinson ; James W. Kelly, Jr. ; Bryan W. Tuttle ; Robert M. Price ; Robert P. Reichel, Embedding certifications in executable files for network transmission.
Romer Theodore H. ; Wolman Alastair ; Lee Dennis Chua ; Voelker Geoffrey Michael ; Bershad Brian N. ; Chen John Bradley ; Levy Henry M. ; Wong Wayne Anthony, Environment manipulation for executing modified executable and dynamically-loaded library files.
Shoji, Koichiro; Takafuji, Yoshiyasu; Nozaki, Takashi, False code execution prevention method, program for the method, and recording medium for recording the program.
Wygodny Shlomo,ILX ; Barboy Dmitry,ILX ; Prouss Georgi,UAX ; Vorobey Anatoly,ILX, System and method for remotely analyzing the execution of computer programs.
Kollberg, Dirk; Kumar, Lokesh; Gudgion, Kevin Andrew, System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.