US Patent 9516055 Automatic malware signature extraction from runtime information

A computer system receives a file and instruments an original code of the file in memory. The resulting instrumented code allows for collection of runtime information of the original code. An unpacking routine that includes one or more instructions that execute several times, modify memory locations, and execute instructions in the modified memory locations is identified. The unpacking routine is deemed a malware signature and incorporated into a malware pattern. An unpacking behavior diagram can also be generated from the runtime information.