Detecting malicious code based on deviations in executable image import resolutions and load patterns

摘要

Trusted executable images are run in a controlled environment, such as a dynamic malware analysis platform. For each trusted executable image, a corresponding baseline import-load signature is generated. This can be done by applying a cryptographic hash function to the specific instructions which resolve imports and/or load libraries, and their operands. Sample programs are run in the controlled environment and tested for maliciousness. Any executable image run by a given sample program in the controlled environment is identified, and an import-load signature of the executable image when run by the sample program is generated. The import-load signature of the executable image when run by the sample program is compared to the corresponding stored baseline import-load signature for the same executable image. The sample program is adjudicated as being benign or malicious based on at least the results of the comparison.