摘要
通过分析不同恶意代码的行为,讨论沙箱的分类模型和实现机制,提出了一种基于虚拟化沙箱技术恶意代码行为检测方法。该方法采用对x86汇编指令、Windows系统特性、内存布局等进行全面模拟方式,通过模拟疑似为可执行代码的输入的数据流,在模拟执行过程中有尝试调用敏感系统函数行为而实现恶意代码行为检测。测试结果表明,所提方法能够有效地检测恶意代码行为,为电子数据取证提供支持。
By analyzing the behavior of different malicious codes and discussing the classification model and implementation mechanism of sandbox,a method of malicious code behavior detection based on virtualization sandbox technology is proposed.In this method,malicious code behavior detection is realized by simulating the input data stream suspected to be executable code.The method uses a comprehensive simulation of the x86 assembly instructions,Windows system performance,memory layout and so on,which attempts to call the sensitive system function behavior during the simulation execution process.The test results show that the proposed method can effectively detect malicious code behavior and provide support for electronic data forensics.
作者
童瀛
牛博威
周宇
张旗
TONG Ying;NIU Bowei;ZHOU Yu;ZHANG Qi(Jiangsu Provincial Public Security Department,Nanjing 210000,China)
出处
《西安邮电大学学报》
2018年第5期101-110,共10页
Journal of Xi’an University of Posts and Telecommunications
关键词
沙箱技术
恶意代码
行为检测
取证分析
sandbox technology
malicious code
behavior detection
forensic analysis