摘要
木马恶意程序常用的取证方法是逆向分析法,但是这种方法存在操作难度大、取证周期长的缺点。为了降低取证难度、提高分析效率,提出一种基于"关键函数"断点设置的木马恶意程序取证分析方法。在恶意功能和主要函数之间建立一种关联,从木马恶意程序使用的核心系统函数入手,通过设置断点、获取参数值,进而判断恶意程序的主要功能。这种方法可以规避大量汇编代码的阅读工作、简化分析难度、缩短取证周期。
At present, reverse analysis is the forensic method of trojans. However, this method requires the inspector to start from the program entry and read the assembly code line by line. Analyzing the logic function of the malicious program is also needed to complete the forensic work. This method has the disadvantages of high operation difficulty and long forensics period. In order to reduce the difficulty of forensics and improve the efficiency of analysis, a Trojans forensic method based on the "key function" breakpoint setting is proposed. This method establishes an association between malicious functions and main functions. It starts with the core system functions and determines the main functions of the malicious program by setting breakpoints and obtaining parameter values. This method can avoid of the reading of assembly codes, simplifying the analysis and shortening the forensics cycle.
作者
徐国天
XU Guo-tian(Computer Crime Investigation Department of Criminal Investigation Police University of China Liaoning Shenyang 110035)
出处
《中国刑警学院学报》
2018年第5期119-123,共5页
Journal of Criminal Investigation Police University of China
基金
公安理论及软科学研究计划课题(编号:2016LLYJXJXY013)
公安部技术研究计划课题(编号:2016JSYJB06)
辽宁省自然科学基金项目(编号:20180550841)
辽宁省经济社会发展研究课题(编号:2018LSLKTZD-028)
关键词
关键函数
断点
木马
逆向
Key function
Breakpoint setting
Trojans
Reverse analysis
