摘要
加壳技术为程序保护提供了一种新的思路,但同时也成为恶意代码的保护伞.恶意软件通过加壳可以批量、快速地生成海量变种,给分析人员带来极大的困扰.因此,研究脱壳技术成为解决该问题的一种有效方法.传统的脱壳方法如UPX、ASProtect等针对的是特定种类的壳,因其不能应付壳的版本与种类的变化而逐渐无法适用,研究一种通用的动态脱壳方法是极为必要的.根据加壳程序执行时都要在内存中还原原始代码的特点,在动态二进制分析平台的基础上提出了一种基于内存标记的动态通用脱壳方法.实验表明,该方法无需先验知识就可以有效地定位加壳程序的原始入口点,提取出程序的原始代码,具有较好的脱壳效果.
Code packing brings a new conception to protect software, but it also serves as an umbrella for malicious code. It has been intensified that malware using packing techniques to evade detection and it troubles analysts due to the massive variants of malware produced by code packing. Traditional unpac- king methods based on feature matching gradually become inapplicable because they can't cope with the change of shell version and type, so a general unpacking method would be very useful. In this paper, the authors proposed a common unpacking method based on dynamic binary analysis platform, according to the property that packer will restore the original code during the process of executing. The experimental results show that this method can effectively locate the original entry point of the program, extract the code that has been hidden, and can get the accurate image size of the process in the memory, which can effectively realize dynamic unpacking of the shell code.
作者
郭文
王俊峰
GUO Wen, WANG Jun-Feng(College of Computer Science, Sichuan University, Chengdu 610065, Chin)
出处
《四川大学学报(自然科学版)》
CAS
CSCD
北大核心
2018年第2期283-289,共7页
Journal of Sichuan University(Natural Science Edition)
基金
国家重点研发计划(2016YFB0800605
2016QY06X1205)
国家科技重大专项(2015ZX01040101-002)
四川省软科学计划(2016ZR0087)
