Abstract: Embodiments include neutralizing and/or detecting attacks by malicious code, for example, by modifying (e.g., morphing) certain aspects of translation tables utilized by an interpreter. Translation table(s) may be morphed, for example, by modifying (e.g., randomizing) function names and/or bytecode instructions included therein. Programs and/or scripts to be executed by the interpreter are also patched to reference the modified function names and/or bytecode instructions, thereby enabling such programs and/or scripts to successfully call the modified function names (whereas malicious code continues to call the original function names). Calls to unmodified/unrecognized functions and/or bytecode instructions performed by the program or script may be trapped and logged for further analysis to check for malicious activity.

Abstract: Techniques are provided for neutralizing attacks by malicious code on a computer system. In an embodiment, this is achieved by modifying certain aspects of an operating system. For example, a system call table storing pointers to system functions is duplicated to create a shadow system call table. The original table is modified with traps resulting the neutralization of processes that access the table, whereas processes that access the shadow system call table are enabled to execute properly. In order for valid applications to operate with the shadow system call table, index numbers corresponding to the different system function calls are randomized in a system library that maintains function calls to such system functions. Valid applications may be patched in order to reference such randomized index numbers, whereas malicious processes continue to reference the original non-randomized index numbers.