Abstract: Disclosed are systems and methods of analysis of files for maliciousness in a virtual machine. An exemplary method comprises: opening and executing a file by a processor in a virtual machine; intercepting an event arising in the process of execution of a thread of a process created upon opening of the file; halting the execution of the thread; reading the context of the processor on which the thread is being executed; comparing the context of the processor with one or more rules; and based on the results of the comparison, performing at least one of: recognizing the file as being malicious; halting the execution of the process created upon opening of the file; changing the context of the processor; and waiting for the next intercepted event.

Abstract: Disclose are systems and methods for execution of program code by an interpreter. One exemplary method comprises: executing, by the interpreter, instructions of the program code in an emulated computer environment; when detecting, by the interpreter, an instruction of the program code associated with an unknown object for which the interpreter lacks a rule of interpretation, halting by the interpreter further execution of the instructions of the program code; obtaining, by the interpreter, an auxiliary code whose result of execution corresponds to the result of the execution of the unknown object, wherein the auxiliary code contains known objects for which the interpreter has a rule of interpretation; executing, by the interpreter, the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, by the interpreter, resuming the execution of the instructions of the program code.

Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining, by a processor, a memory sector for storing a portion of execution instructions of the computer program in virtual memory address space, determining, in the virtual memory address space, one or more pages that comprise code instructions and data associated with the memory sector, creating a duplicate of the virtual memory address space, tagging the memory sector and the one or more pages in both the virtual memory address space and the duplicate of the virtual memory address space, receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or the duplicate of the virtual memory address space and transferring execution of the computer program to a memory location other than the one in which the notification was received.

Abstract: Disclosed are systems and methods for generating a log for conducting an antivirus scan of a file. The described technique includes opening a file in a virtual machine, which causes execution of a guest process and a thread in a (virtual) processor of the virtual machine. The technique includes identifying, during execution of the first thread, events that involve alteration of guest physical memory pages of the virtual machine. The technique determines altered guest physical memory page based on analysis of the log and identifies when a transfer of control to altered guest physical memory pages has occurred. The resultant log for analysis by a security application includes information indicating the events occurring during execution of the thread in the altered guest physical memory page, and context data of the virtual processor on which the thread is being executed.

Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining whether code instructions or data of interest are found in a portion of a page in an original virtual address space, when the code instructions or data are found in the portion of the page of a first type, tagging it as non-executable and tagging the portion of no interest as executable, when the code instructions or data are found in the portion of the second type, tagging it using an opcode and tagging the portion of no interest as executable, when the code instructions or data are found in the portion of the first type, duplicating the original virtual address space and tagging the portion of interest as executable and tagging the portion of no interest as non-executable and transferring execution of the computer program to a memory location other than the one in which a notification was received.

Abstract: Disclosed are system and method for controlling execution of a computer program. An example method includes determining, by a processor, a memory sector for storing a portion of execution instructions of the computer program in virtual memory address space, determining, in the virtual memory address space, one or more pages that comprise code instructions and data associated with the memory sector, creating a duplicate of the virtual memory address space, tagging the memory sector and the one or more pages in both the virtual memory address space and the duplicate of the virtual memory address space, receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or the duplicate of the virtual memory address space and transferring execution of the computer program to a memory location other than the one in which the notification was received.

Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector for storing at least a portion of execution instructions of the computer program in virtual memory address space; determining, in the virtual memory address space, one or more pages that contain code instructions and data associated with the memory sector; creating a duplicate of the virtual memory address space comprising the memory sector and the one or more pages; tagging the memory sector and the one or more pages in both the virtual memory address space and its duplicate; receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or its duplicate; and transferring execution of the computer program to a memory location other than the one in which the notification was received.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Disclosed are systems and methods of analysis of files for maliciousness in a virtual machine. An exemplary method comprises: opening and executing a file by a processor in a virtual machine; intercepting an event arising in the process of execution of a thread of a process created upon opening of the file; halting the execution of the thread; reading the context of the processor on which the thread is being executed; comparing the context of the processor with one or more rules; and based on the results of the comparison, performing at least one of: recognizing the file as being malicious; halting the execution of the process created upon opening of the file; changing the context of the processor; and waiting for the next intercepted event.

Abstract: Disclose are systems and methods for execution of program code by an interpreter. One exemplary method comprises: executing, by the interpreter, instructions of the program code in an emulated computer environment; when detecting, by the interpreter, an instruction of the program code associated with an unknown object for which the interpreter lacks a rule of interpretation, halting by the interpreter further execution of the instructions of the program code; obtaining, by the interpreter, an auxiliary code whose result of execution corresponds to the result of the execution of the unknown object, wherein the auxiliary code contains known objects for which the interpreter has a rule of interpretation; executing, by the interpreter, the instructions of the auxiliary code; and after completion of the execution of the auxiliary code, by the interpreter, resuming the execution of the instructions of the program code.

Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector for storing at least a portion of execution instructions of the computer program in virtual memory address space; determining, in the virtual memory address space, one or more pages that contain code instructions and data associated with the memory sector; creating a duplicate of the virtual memory address space comprising the memory sector and the one or more pages; tagging the memory sector and the one or more pages in both the virtual memory address space and its duplicate; receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or its duplicate; and transferring execution of the computer program to a memory location other than the one in which the notification was received.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector of interest in a first virtual memory location; duplicating the memory sector of interest in a second virtual memory location; tagging the memory sector of interest in the first virtual address space and the duplicated memory sector in the second virtual address space with different tags; selecting between the memory sector of interest and the duplicated memory sector a memory location for execution of the program; executing, by a hardware processor, the program in the selected memory location until receipt of a notification to transfer execution of the program from a memory sector tagged with one tag to a memory sector tagged with a different tag; and transferring program execution to the memory location other than the one in which the notification was received.