基于逻辑一致性判定的广义不透明谓词检测方法

不透明谓词是一类轻量级的代码混淆方法,能以单向的执行复杂度对抗程序的逆向分析。广义不透明谓词扩展狭义不透明谓词的值恒定属性至逻辑恒定属性,已经应用于部分恶意代码中以提升抗查杀能力。为消除不透明谓词对程序恶意性判定的影响,以广义不透明谓词后趋依赖的属性为依据,结合逻辑恒定判定,提出了基于逻辑一致性的广义不透明谓词检测方法。通过静态分析提取谓词前置条件约束、后趋逻辑约束和谓词判定表达式,以相交基本块搜寻初筛谓词,并依据约束求解方法判定广义不透明谓词。构造原型系统并进行测试,结果表明该方法能精准高效地检测出恶意代码中的不透明谓词。

Generalized opaque predicates detecting method based on logical consistency

Opaque predicate is a lightweight obfuscation method which holds partial observability and is used to impede reverse engineering. Generalized Opaque Predicate extends the property of narrow Opaque Predicate by turning fixed value to fixed logic, and it is applied in malware. In order to eliminate the disturbance introduced by opaque predicates during malware identifying, a generalized opaque predicate detecting method is proposed based on the consistency of logic, this method depends on the reliance on constraint, and combines with the identification of consistency toward logic. Our method extracts previous constraint of domain, back constraint of logic and expression of predicate, then filters candidates by applying search of intersecting basic blocks, and finally identifies opaque predicates through constraint solving. We designed a prototype and the evaluation indicates that our method could identify opaque predicates from malware accurately and effectively.