Abstract: In one embodiment, a method and apparatus for stack walking a call stack associated with mixed code, by interleaving a native stack walking process with a managed stack walking process. Mixed code comprises at least one managed instruction and at least one native instruction, and the call stack comprises at least one managed frame and at least one native frame. The managed frames being associated with the managed instructions, and the native frames being associated with native instructions. The method comprises acts of performing a managed stack walk on the call stack, a native stack walk on native frames of the call stack. In a further embodiment, handling indirect jumps during a native stack walk, and in another embodiment, detecting validity of a memory address.

Abstract: A method, software system, and computer-readable medium are provided for determining whether a malware that implements stealth techniques is resident on a computer. In one exemplary embodiment, a method is provided that obtains a first set of data that describes the processes that are reported as being active on the computer in a non-interrupt environment. Then, the method causes program execution to be interrupted at runtime so that an analysis of the active processes on the computer may be performed. After program execution is interrupted, a second set data that describes the processes that are reported as being active on the computer in a interrupt environment is obtained. By performing a comparison between the first and second sets of data, a determination may be made regarding whether the collected data contains inconsistencies that are characteristic of malware.

Abstract: When, during debugging, a program failure occurs, the location of the failure is determined. First the address in the stack related to the program failure is found. Then static analysis is performed in order to determine a possible culprit for the failure. For example, when a security cookie has been overwritten, indicating a probable overflow, the location of the security cookie on the stack is determined, and proximate storage structures (such as arrays) which may have overflowed onto the location of the security cookie are determined. Then static analysis is used to determine probable sources (e.g. functions or instructions in a function) for this error. In this way, the root cause of a buffer overflow or similar problem can be identified easily, rather than requiring extensive time and knowledge regarding the working of the compiler, the security cookie, the stack, static analysis, and the source code.

Abstract: In one embodiment, a method and apparatus for stack walking a call stack associated with mixed code, by interleaving a native stack walking process with a managed stack walking process. Mixed code comprises at least one managed instruction and at least one native instruction, and the call stack comprises at least one managed frame and at least one native frame. The managed frames being associated with the managed instructions, and the native frames being associated with native instructions. The method comprises acts of performing a managed stack walk on the call stack, a native stack walk on native frames of the call stack. In a further embodiment, handling indirect jumps during a native stack walk, and in another embodiment, detecting validity of a memory address.