| 二进制代码中函数混淆调用的识别 |
| |
| 引用本文: | 曾鸣,赵荣彩.二进制代码中函数混淆调用的识别[J].计算机工程与应用,2007,43(17):24-28. |
| |
| 作者姓名: | 曾鸣 赵荣彩 |
| |
| 作者单位: | 中国人民解放军信息工程大学,计算机科学与技术系,郑州,450002;中国人民解放军信息工程大学,计算机科学与技术系,郑州,450002 |
| |
| 基金项目: | 国家高技术研究发展计划(863计划) |
| |
| 摘 要: | 函数调用相关信息识别是二进制代码静态分析的基础,也是恶意代码分析的重要线索。二进制代码混淆技术通过对函数调用指令call、参数传递过程和调用返回过程的混淆来隐藏代码中函数的信息。这大大增加了程序逆向分析的难度,此技术被广泛应用在变形和多态病毒中,使其逃脱杀毒软件的查杀。论文给出了一种静态分析方法,引入了抽象栈图的概念,给出了其构造算法,利用它能够有效识别出代码中对函数调用的混淆。
|
| 关 键 词: | 代码混淆 恶意软件 静态分析 变形病毒 |
| 文章编号: | 1002-8331(2007)17-0024-05 |
| 修稿时间: | 2007-03 |
Identification of obfuscated function calls in binaries |
| |
| ZENG Ming,ZHAO Rong-cai.Identification of obfuscated function calls in binaries[J].Computer Engineering and Applications,2007,43(17):24-28. |
| |
| Authors: | ZENG Ming ZHAO Rong-cai |
| |
| Affiliation: | Department of Computer Science,the PLA Information and Engineering University,Zhengzhou 450002,China |
| |
| Abstract: | Identification of information about functions forms the base of static binary analysis and malicious code detection.A heuristic approach to detect metamorphic virus is to examine the calls a binary makes to the operating system.To avoid this,malicious code programmers hide the information about functions using a variety of obfuscations,including substitution of call with another equivalent instruction sequences,changing the normal form of parameters passing and returning process.These obfuscation methods introduce much difficulty for reverse code analysis.To deal with the problem,this article presents a static method which can detect obfuscated function calls in a binary efficiently. |
| |
| Keywords: | code obfuscation malicious code static analysis metamorphic viruse |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机工程与应用》浏览原始摘要信息 |
|
点击此处可从《计算机工程与应用》下载全文 |
