Abstract: A method, software system, and computer-readable medium are provided for determining whether a malware that implements stealth techniques is resident on a computer. In one exemplary embodiment, a method is provided that obtains a first set of data that describes the processes that are reported as being active on the computer in a non-interrupt environment. Then, the method causes program execution to be interrupted at runtime so that an analysis of the active processes on the computer may be performed. After program execution is interrupted, a second set data that describes the processes that are reported as being active on the computer in a interrupt environment is obtained. By performing a comparison between the first and second sets of data, a determination may be made regarding whether the collected data contains inconsistencies that are characteristic of malware.

Abstract: When, during debugging, a program failure occurs, the location of the failure is determined. First the address in the stack related to the program failure is found. Then static analysis is performed in order to determine a possible culprit for the failure. For example, when a security cookie has been overwritten, indicating a probable overflow, the location of the security cookie on the stack is determined, and proximate storage structures (such as arrays) which may have overflowed onto the location of the security cookie are determined. Then static analysis is used to determine probable sources (e.g. functions or instructions in a function) for this error. In this way, the root cause of a buffer overflow or similar problem can be identified easily, rather than requiring extensive time and knowledge regarding the working of the compiler, the security cookie, the stack, static analysis, and the source code.