Pimflo:基于过程解释的恶意函数定位方法

Pimflo:A process-interpretable approach for malicious function localization

恶意软件的关键模块定位是逆向工程中的重要环节,然而目前大多数研究集中在判别程序是否恶意,少有研究对关键恶意模块进行定位,并且存在自动化定位难度高、定位过程难解释的问题.为此,本文提出了基于过程解释的恶意函数定位方法Pimflo,从具体的内存信息出发进行恶意识别和定位.Pimflo利用动态沙箱对目标二进制进行内存取证,基于签名技术识别可疑行为,追溯其相关的进程调用和堆栈信息.通过反汇编目标程序生成控制流图(CFG),还原可疑行为调用链,追溯和定位恶意源函数.本文在VIRUSSHARE的100个样本上对Pimflo进行了评估,实验证明Pimflo的恶意函数定位准确率可达90.28%,其解释性和逻辑性优于基于统计的非标量现有框架,为恶意软件定位领域提供了更可靠的新方案.

The localization of key module in malicious software is a crucial step in reverse engineering.However,most research focuses on determining whether a program is malicious,with little attention paid to the location of critical malicious modules.Furthermore,there are challenges related to the high difficulty of automated localization and the complexity of explaining the location process.Therefore,this paper proposes a process-explanation-based method for locating malicious functions,termed Pimflo,which identifies and locates malicious activities by analyzing specific memory information.The method involves the use of a dynamic sandbox for conducting forensic analysis on the memory of the target binary,detecting suspicious behavior through signature technology,and tracking its related process calls and stack information.By disassembling the target program to generate a Control Flow Graph(CFG),Pimflo reconstructs the call chain of the suspicious behavior,enabling the precise tracing and identification of the malicious source function.The paper evaluates the performance of Pimflo on 100 samples from VIRUSSHARE,demonstrating that Pimflo achieves a localization accuracy of 90.28%for malicious functions.Its interpretability and logic surpass those of existing non-scalar frameworks based on statistics,providing a more reliable solution to the localization of malicious software.