Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor code as it executes. The code can include self-modifying code. The system can log an event if the self-modifying code occurred in a GetPC address region.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Abstract: In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor code as it executes. The code can include self-modifying code. The system can log an event if the self-modifying code occurred in a GetPC address region.

Abstract: In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.