Patent attributes
A processing device (10) includes a processor (12), an interface (14) and a memory (100). The memory (100) is formed from system Random Access Memory (RAM) and one or more other storage devices. The memory (100) can be considered as comprising working memory (110) and persistent storage (120). The working memory includes the system RAM but may also use memory from one or more other storage devices and when certain suspicious program detection modules are operating also stores a comparison table (112) discussed below. Contained within the persistent storage are several executable program files as follows: an Absolute Memory Address Calculator executable program (121) which is responsible for causing the system (10) to inspect a copy of a persistently stored (and compiled) executable program (e.g. an executable program (125, 126, 127, . . . as stored in the persistent storage 120) and to calculate expected absolute memory locations for the various functions or helper programs that it makes calls to and to store these in a table (112) that it creates in the working memory (110) for this purpose; a Loaded Program Accessor executable program (122) which is responsible for causing the system (10) to inspect a copy of an executable program as loaded in the working memory (110) of the system after loading and linking of the program have been completed, to determine the actual memory locations stored in the Import Address Table (IAT) of the loaded program, and to store these actual memory locations in the comparison table (112); a Memory Location Comparator executable program (123) which is responsible for causing the system (10) during execution of this program to compare the calculated expected absolute memory locations with their respective actual accessed memory locations as stored in the comparison table of memory locations (112); and a Corroborator executable program (124) which is responsible for causing the system (10) during execution of this program to perform a corroboration of any mismatches of memory locations detected in the memory location pairs stored in the table (112) of memory locations, by, in the present embodiment, inspecting the contents of any executable instructions contained at the actually accessed memory location to look for the presence of an instruction causing a new thread of execution to be instantiated.
