The number of software applications is increasing with a tremendous pace. Among the diversity of applications there are many malicious programs (malware), which cause harm to the computer or the computer user, such as Internet worms, key loggers, and computer viruses. There are also many technologies for providing security to computers, such as antivirus software, which is designed to detect malicious programs, as well as restrict their operability (such as placing them in quarantine or completely removing them from the computer).
However, there are various methods used by the developers of malicious programs to hide the activity of the malware from the antivirus applications. Depending on the methods being used by the antivirus application for detection of malicious software, such as signature analysis (a technique of searching for correspondences between a given segment of the code of the program being analyzed and a known code, or signature, from a library of signatures of malicious programs), heuristic analysis (a technique involving emulating the execution of the program being analyzed, creating a log of calls for API functions and searching for data correspondences between the created log of calls for API functions and a library of emulations of malicious programs), or proactive analysis (a technique involving intercepting calls for API functions of a program being analyzed and being launched in the system, creating a log of calls for API functions and searching for data correspondences between the log created and a library of calls for API functions of malicious programs), the developers of malicious applications can use methods of anti-emulation (such as checking for values returned by functions whose emulation in all likelihood is not realized in an emulator, in order to detect the emulation of a code execution), root kits (malicious programs which hide their presence on the computing device, for example with the help of drivers), polymorphic malicious programs (malicious programs whose executable code changes during the time of its execution), and obfuscation of the application code (changing the code of a malicious program into a form which is able to operate, yet is difficult to analyze). In addition to the above-described approaches, which are aimed at counteracting the antivirus application (for example, counteracting the detection by the antivirus application), malicious software can apply the approach of executing malicious code (instructions) from the address space of trusted applications (applications known to not be malicious, and any activity of such applications is permitted by the antivirus application).
Various approaches are used to monitor the execution of malicious code from the address space of a trusted application, including approaches involving tracking of calls for various API functions used for the transfer of control or for access to the address space of processes in order to track the call for a malicious code or its writing into the address space of a trusted process.
Although the abovementioned approaches are aimed at solving certain problems in the area of detection of malicious code in the address space of a trusted process, they do not solve the problem effectively enough: the mentioned approaches either require the checking of a plurality of possible operations of access to third-party processes (including the operations being carried out by trusted processes), or they survey a limited group of situations for which it is necessary to check the address space of a process in order to reveal a malicious code. The present invention enables more effective solving of the problem of detecting malicious code in random access memory.