基于带权欧拉距离的PE文件壳检测技术

越来越多的恶意软件出现在网络上。恶意软件作者通过网络将软件中的恶意代码植入用户的电脑中,从而达到诸如获得用户名与密码的非法目的。为了阻止它们对用户电脑的侵害,软件分析人员必须分析恶意软件的工作原理。但是,如果这些恶意软件加壳,那么分析它们就会变得非常困难,因此必须对他们进行脱壳。脱壳的第一步即检测这些恶意软件是否加壳。本文通过对未加壳和已经加壳的软件PE头部进行分析与比较,提出了带权欧拉距离PE文件壳检测(PDWED)算法,其中包括构造一个含有10个元素的向量,并为每个向量中每个元素分配一个权重值,计算向量的带权欧拉距离。实验结果表明,PDWED能够比较快速而又准确地检测软件是否加壳。

Packed PE File Detection Based on Weighted Euclidean Distance Analysis

More and more malware is appearing on the Internet, the authors of the malware want to gain illegal purposes by inserting malicious code into the users’ computers, such as achieving the users’ names and passwords. In order to prevent computers from being attcked, software analyzers need to analyze the principle of the malware, however, if the malware is packed, it is very difficult to analyze. We must unpack the malware and the first step of unpacking is to detect whether the malware is packed or not. This paper proposes a packed PE file detection method based on a weighted Euclidean distance analysis (PDWED) algorithm by analyzing and comparing the differences between the unpacked and the packed software on the PE header, which includes constructing a vector of 10 elements,distributing weighted value for each element,and calculating the weighted Euclidean distance of the vector. The experimental results show that PDWED can detect whether the software is packed or not quickly and accurately.