The sophistication of malware attacks and malware code persistence continues to increase. For instance, injected malware code that executes in a legitimate process on a system is difficult to detect. One reason for this is that injected malware code has a minimal, or no, disk footprint during operation of the infected system. That is, injected malware code may reside completely, or almost completely, in the memory of the system during operation, instead of residing on other non-volatile storage devices such as hard drives. Malware injection may include reflective injection, shellcode, stripped MZ headers, obfuscated payloads, and/or the like.
Injected malware code detection often requires scanning the large address space of a process memory as well as searching and emulation over those memory regions. In state of the art systems, such as those with 64-bit operating systems, system memory and virtual memory spaces may be a few gigabytes (GB) to tens or hundreds of terabytes (TB) or more in size. Scanning and analyzing such large address spaces requires significant time and system resources, and analysis resources commodities often have constraints used to enforce a balance between efficiency/cost and effectiveness. With the advent of large virtual memories in x64 systems, effectively scaling for scanning and analyzing resources is difficult.