|
|
- 2018
Windows恶意代码动态通用脱壳方法研究
|
Abstract:
加壳技术为程序保护提供了一种新的思路,但同时也成为恶意代码的保护伞.恶意软件通过加壳可以批量、快速的生成海量变种,给分析人员带来了极大的困扰.因此,研究脱壳技术成为解决该问题的一种有效方法. 传统的脱壳方法如UPX、ASProtect等针对的是特定种类的壳,因其不能应付壳的版本与种类的变化而逐渐无法适用,研究一种通用的动态脱壳方法是极为必要的.根据加壳程序执行时都要在内存中还原原始代码的特点,在动态二进制分析平台的基础上提出了一种基于内存标记的动态通用脱壳方法.实验表明:该方法无需先验知识就可以有效地定位加壳程序的原始入口点,提取出程序的原始代码,具有较好的脱壳效果.
Code packing brings?a?new?conception?to protect software, but it also serves as an umbrella for malicious code. It has been intensified that malware using packing techniques to evade detection and it troubles analysts due to the massive variants of malware produced by code packing. Traditional unpacking methods based on feature matching gradually become inapplicable because they can’t cope with the change of shell version and type, so a general unpacking method would be very useful. In this paper, we proposed a common unpacking method based on dynamic binary analysis platform, according to the property that packer will restore the original code during the process of executing. The experimental results show that our method can effectively locate the original entry point of the program, extract the code that has been hidden, and can get the accurate image size of the process in the memory, which can effectively realize dynamic unpacking of the shell code
