基于环境敏感分析的恶意代码脱壳方法

Malicious Hidden-Code Extracting Based on Environment-Sensitive Analysis

加壳技术是软件的常用保护手段,但也常被恶意代码用于躲避杀毒软件的检测.通用脱壳工具根据加壳恶意代码运行时的行为特征或统计特征进行脱壳,需要建立监控环境,因此易受环境敏感技术的干扰.文中提出了一种基于环境敏感分析的恶意代码脱壳方法,利用动静结合的分析技术检测并清除恶意代码的环境敏感性.首先,利用中间语言对恶意代码的执行轨迹进行形式化表示;然后,分析执行轨迹中环境敏感数据的来源和传播过程,提取脱壳行为的环境约束;最后,求解环境约束条件,根据求解结果对恶意代码进行二进制代码插装,清除其环境敏感性.基于此方法,作者实现了一个通用的恶意代码脱壳工具:MalUnpack,并对321个最新的恶意代码样本进行了对比实验.实验结果表明MalUnpack能有效对抗恶意代码的环境敏感技术,其脱壳率达到了89.1%,显著高于现有基于动态监控的通用脱壳工具的35.5%和基于特征的定向脱壳工具的28.0%.

Code packing is an obfuscation technique to protect against reverse engineering,but it is commonly used to hide malicious code from virus detection as well.Environment-sensitive packing techniques are able to check whether the run-time environment is suspicious,then malware can dynamically change the unpacking behaviors according to the environment.While many unpacking tools were proposed,such as static unpackers and dynamic unpackers,the existing solutions are either unable to handle unknown packing techniques,or vulnerable to various environment-sensitive techniques.In this paper,we propose a new unpacking approach based on environment-sensitive analysis.Our approach precisely tracks the flow of environment-sensitive data,then symbolically evaluates the recorded trace and gathers path constraints on environment-sensitive data.Using the collected path constraints,we can deduce the dependence of the packed malware＇s control flow on run-time environment then remove the environmental sensitivity of the malware.To demonstrate its effectiveness,we present a prototype system,called MalUnpack,and apply it to 321 in the wild packed malware samples.The experimental results show that MalUnpack can effectively identify and unpack 89.1% of the malware samples,while the number of using dynamic unpackers without environment-sensitive analysis is 35.5%,and the number of using signature-based unpacker is only 28.0%.