Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector for storing at least a portion of execution instructions of the computer program in virtual memory address space; determining, in the virtual memory address space, one or more pages that contain code instructions and data associated with the memory sector; creating a duplicate of the virtual memory address space comprising the memory sector and the one or more pages; tagging the memory sector and the one or more pages in both the virtual memory address space and its duplicate; receiving a notification to transfer execution of the computer program between different memory sectors while executing instructions stored in either the virtual memory address space or its duplicate; and transferring execution of the computer program to a memory location other than the one in which the notification was received.

Abstract: Disclosed are systems, methods, and computer program products for emulation of files using multiple images of the emulator state. In one example, the method includes loading the file into an emulator of the computer system; initiating emulation of the file by the emulator; storing an initial image of an initial state of the emulator; continuing the emulation of the file and detecting occurrence of a condition that results during the emulation of the file; creating and storing a new image of a next state of the emulator when an occurrence of the condition is detected; determining whether the emulation of the file has terminated correctly or incorrectly; and upon determining that the emulation of the file has terminated incorrectly, loading the new image of the next state into the emulator and resuming the emulation of the file from the next state of the emulator.

Abstract: A method and system are provided for performing an antivirus scan of a file on a virtual machine. An example method includes performing a first execution of the file on the virtual machine, recording a first log that includes an API function call and an internal event detected during execution, and determining if any signatures in the log are stored in a signatures database. Moreover, if no signatures in the first log are found in the first database of signatures, the file is classified as not malicious. In contrast, if at least one signature is found, a second execution of the file is perform and a second log is recorded that includes a detected internal event. Moreover, the method includes determining if any signatures in the second log are stored in a second database of signatures; and classifying the file as not malicious if no signatures are found.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: Disclosed are systems, methods, and computer program products for emulation of files using multiple images of the emulator state. In one example, the method includes loading the file into an emulator of the computer system; initiating emulation of the file by the emulator; storing an initial image of an initial state of the emulator; continuing the emulation of the file and detecting occurrence of a condition that results during the emulation of the file; creating and storing a new image of a next state of the emulator when an occurrence of the condition is detected; determining whether the emulation of the file has terminated correctly or incorrectly; and upon determining that the emulation of the file has terminated incorrectly, loading the new image of the next state into the emulator and resuming the emulation of the file from the next state of the emulator.

Abstract: Disclosed are system and method for controlling execution of a program. An example method includes determining a memory sector of interest in a first virtual memory location; duplicating the memory sector of interest in a second virtual memory location; tagging the memory sector of interest in the first virtual address space and the duplicated memory sector in the second virtual address space with different tags; selecting between the memory sector of interest and the duplicated memory sector a memory location for execution of the program; executing, by a hardware processor, the program in the selected memory location until receipt of a notification to transfer execution of the program from a memory sector tagged with one tag to a memory sector tagged with a different tag; and transferring program execution to the memory location other than the one in which the notification was received.

Abstract: Disclosed are systems, methods, and computer program products for preserving and subsequently restoring a state of a program emulator. In one aspect, the system loads a file into an emulator of the computer system and determines whether an emulation is being performed for the first time. When the emulation is performed for the first time, the system loads into the emulator an initial image of the emulator state and emulates the file using the loaded initial image of the emulator state. During emulation, the system creates and stores new images of the emulator state upon occurrence of predefined conditions. When the emulation is not performed for the first time, the system identifies new images of the emulator state created during initial emulation of the file, loads into the emulator the identified images, and resume emulating the file using the new images of the emulator state.

Abstract: Disclosed are systems, methods, and computer program products for preserving and subsequently restoring a state of a program emulator. In one aspect, the system loads a file into an emulator of the computer system and determines whether an emulation is being performed for the first time. When the emulation is performed for the first time, the system loads into the emulator an initial image of the emulator state and emulates the file using the loaded initial image of the emulator state. During emulation, the system creates and stores new images of the emulator state upon occurrence of predefined conditions. When the emulation is not performed for the first time, the system identifies new images of the emulator state created during initial emulation of the file, loads into the emulator the identified images, and resume emulating the file using the new images of the emulator state.

Abstract: System and method for detecting malware on a target computer system having a bootable device. Boot process information stored on the bootable device that at least partially defines a boot process of the target computer system is obtained, along with physical parameter data defining a storage arrangement structure of the bootable device. The boot process of the target computer system is emulated based on the boot process information and on the physical parameter data. The emulation includes executing instructions of the boot process information and tracking data accessed from the bootable device. A data structure representing the data accessed from the bootable device is stored during the emulation of the boot process. The data structure can be analyzed for any presence of boot process malware.