摘要
嵌入式代码混淆即通过空间调整、数据转移等技术将恶意代码嵌入正常代码,利用反汇编算法对分析起始地址与分析结束的约束,规避反汇编算法对嵌入恶意代码进行分析的混淆技术。针对嵌入式代码混淆的4种情况,设计一种改进的行进递归反汇编算法。该算法在反汇编过程中根据不同的起始地址设定与之对应的结束地址,实现对嵌入式代码的识别与分析。通过实验表明,文章提出的算法能够对抗采用了嵌入式代码混淆的恶意代码,提高了代码分析的覆盖率。
Embedded code obfuscation embeds the malicious code in the normal code with the technology such as adjustment of space,data transfer and etc.It exploits the constraint on the start address and the end address in the disassembly algorithm to avoid the detection of malware.In this paper,we design an improved recursive traversal disassembly algorithm for the four kinds of embedded code.The algorithm can achieve the analysis of the embedded code in the process of disassembly with the capability of setting up the end address based on different start address.Finally,the experiments validates that the algorithm proposed in this paper can resist the malware obfuscated with embedded code,which can improve the coverage rate of code analysis.
作者
戴超
庞建民
韩林
陶红伟
DAI Chao;PANG Jianmin;HAN Lin;TAO Hongwei(Information Engineering University,Zhengzhou 450001,China;State Key Lab of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China)
出处
《信息工程大学学报》
2018年第3期347-352,共6页
Journal of Information Engineering University
基金
国家自然科学基金资助项目(61472447)
