Software for detecting malicious code and malicious files, such as antivirus applications are constantly being improved. Oftentimes such software work together with modules (or include such modules) for application control to enhance the quality of security provided to computer systems by, for example, preventing the running of untrusted applications. Application control modules generally use white lists and black lists of applications to identify which applications are permitted and which are prohibited. Files or applications from a black list are recognized by the antivirus application as being malicious, while files from a white list are considered to be safe for computer systems (“trusted”) and are not further checked by the antivirus application. The use of such lists significantly reduces the load on the computer system in providing security by an antivirus application, since the antivirus application does not need to check each file by all available methods, including: with the aid of signature analysis, heuristic analysis, behavioral analysis, and so forth.
However, not all of the actions or processes launched from a trusted file contained in a white list are harmless to a computer system. Modern malicious programs may embed themselves in the address space of trusted processes and execute their malicious code from the address space of a trusted process. The execution of such a malicious code is not detected (and thus not blocked) by the antivirus application, since no analysis (for example, signature or heuristic analysis) is performed by the antivirus application in regard to code from the address space of a trusted process.
However, approaches to the detection of memory regions in the address space of processes which correspond to malicious code require sizeable computing resources, since such approaches involve scanning of the memory of a computer system. The present disclosure provides aspects which address the problem of detecting malicious code in the address space of a process more effectively.