Palo Alto Networks, Inc.
Simulating user interactions for malware analysis

Abstract:

Simulating user interactions during dynamic analysis of a sample is disclosed. A sample is received for analysis. Prior to execution of the sample, a baseline screenshot of a desktop is generated by accessing frame buffer data stored on a graphics card. The sample is caused to execute, at least in part using one or more hypervisor instructions to move a pointing device to an icon associated with the sample. A current screenshot of the desktop is generated by accessing current frame buffer data stored on the graphics card.