摘要
近年来,恶意代码动态分析技术取得长足进步,已成为恶意代码检测领域里一种主要的分析和检测技术。但恶意代码作者采用了抗虚拟机、抗调试器等多种抗分析技术对抗动态分析技术,使得动态分析技术无法准确获取恶意代码真正的行为信息,甚至会将恶意样本判定为正常程序。设计并实现了一个基于行为信息的恶意代码抗分析技术检测系统,该系统基于动态二进制插桩平台DynamoRIO获取样本运行中产生的系统调用和API调用等信息,并将这些信息抽取为更粗粒度的行为信息,同抗分析行为库进行比较和判断。实验表明,该系统能有效地检测出恶意代码是否使用了抗分析技术。
Dynamic analysis technique has gained a remarkable development in recent years, and it has become a major analysis technique in malware analysis field. But the authors of malware use anti-analysis technique, such as anti-virtual-matching, anti-debugging, to keep malware from being analyzed. These techniques stop dynamic analysis from obtaining accurate behavior information of malware,which is sometimes even evaluated as a normal program. This paper designs and implements a malware anti-analysis technique detecting system, which obtains the sample's system calls and API calls information using DynamoRIO, a dynamic binary instrumentation system. Then,the information is extracted to a coarse-grained behavior information. Finally, the coarse-grained information is compared with anti-analysis behavior database to evaluate if the sample adopts anti-analysis technique. The experimental results show that this system could efficiently detect if the malware example adoptes anti-analysis techniques.
作者
雷家怡
庞建民
梁光辉
师炜
周鑫
LEI Jiayi;PANG Jianmin;LIANG Guanghui;SHI Wei;HOU Xin(Information Engineering University,Zhengzhou 450001,China;State Key Laboratory of MathematicalEngineering and Advanced Computing, Zhengzhou 450001, China)
出处
《信息工程大学学报》
2018年第4期494-497,共4页
Journal of Information Engineering University
基金
国家自然科学基金资助项目(614724472)
