| 基于angr的对抗恶意代码沙箱检测方法的研究 |
| |
| 引用本文: | 张君涛,王轶骏,薛质. 基于angr的对抗恶意代码沙箱检测方法的研究[J]. 计算机应用与软件, 2019, 36(2): 308-314 |
| |
| 作者姓名: | 张君涛 王轶骏 薛质 |
| |
| 作者单位: | 上海交通大学电子信息与电气工程学院 上海200240;上海交通大学电子信息与电气工程学院 上海200240;上海交通大学电子信息与电气工程学院 上海200240 |
| |
| 基金项目: | 国家重点研发计划项目“网络空间安全”重点专项 |
| |
| 摘 要: | 恶意代码在运行时会采取多种方法探测沙箱环境,从而避免自身恶意行为暴露。通过对常见沙箱检测方法的研究,在具有动态符号执行功能的开源二进制代码分析框架angr(Advance Next Generation Research into binary analysis)的基础上,使用Win32 API函数挂钩、VEX指令修补以及内存结构完善三种方法对抗沙箱检测机制。原型系统上的测试表明,该方法能够绕过常见的沙箱检测机制,同时显著优于现有的恶意代码动态分析工具。
|
| 关 键 词: | 恶意代码 对抗沙箱检测 angr 动态符号执行 |
ANGR-BASED DETECTION METHOD AGAINST MALICIOUS CODE SANDBOX |
| |
| Zhang Juntao,Wang Yijun,Xue Zhi. ANGR-BASED DETECTION METHOD AGAINST MALICIOUS CODE SANDBOX[J]. Computer Applications and Software, 2019, 36(2): 308-314 |
| |
| Authors: | Zhang Juntao Wang Yijun Xue Zhi |
| |
| Affiliation: | (School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai 200240, China) |
| |
| Abstract: | Malicious code can detect sandbox environment in many ways when it runs, so as to avoid exposing its own malicious behavior. Based on the open source binary code analysis framework angr with dynamic symbol execution function, the sandbox detection mechanism was resisted by three methods: Win32 API function hook, VEX instruction repair and memory structure improvement through the research of the sandbox detection method. Experiments on the prototype system show that the proposed method can bypass the common sandbox detection mechanism and significantly outperform current dynamic analysis methods. |
| |
| Keywords: | Malicious code Against sandbox detection angr Dynamic symbol execution |
| 本文献已被 维普 万方数据 等数据库收录! |
