| 一种PE文件加壳检测规则 |
| |
| 引用本文: | 姜晓新,段海新. 一种PE文件加壳检测规则[J]. 计算机工程, 2010, 36(14): 135-137 |
| |
| 作者姓名: | 姜晓新 段海新 |
| |
| 作者单位: | 1. 清华大学计算机科学与技术系,北京,100084
2. 清华大学信息工程网络研究中心,北京,100084 |
| |
| 摘 要: | 在恶意代码自动分析系统中,对恶意样本进行文件格式检查,并判断其是否被加壳是对其进行自动分析的第一步。为了对加壳PE可执行文件实现更加准确的识别,提出一个基于文件头和部分文件内容的PE文件加壳检测规则(NFPS)。通过提取PE文件中5个方面的特征值,并按照NFPS规则进行计算,即可判定PE文件是否被加壳。经测试,其检测率高达95%以上,并支持多层壳的循环检测。
|
| 关 键 词: | 恶意代码 PE文件 加壳 |
Pack Detection Rule on PE Files |
| |
| JIANG Xiao-xin,DUAN Hai-xin. Pack Detection Rule on PE Files[J]. Computer Engineering, 2010, 36(14): 135-137 |
| |
| Authors: | JIANG Xiao-xin DUAN Hai-xin |
| |
| Affiliation: | (1. Department of Computer Science & Technology, Tsinghua University, Beijing 100084;2. Network Research Center, Tsinghua University, Beijing 100084) |
| |
| Abstract: | In the automatic malicious code analysis system, the first step is the file format analysis of malicious code and detect whether it is packed. For detecting the packed PE files more accurately, NFPS, which is a packed PE file detection rule based on the file header and many parts of content, is proposed. Through extracting five characteristics of PE files and calculating them based on NFPS rule, it can detect the packed PE files accurately. Through the test, the rate of detection accuracy of NFPS can reach more than 95%, and it can support loop detection of multilayer packed PE files. |
| |
| Keywords: | malicious code PE file pack |
| 本文献已被 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机工程》浏览原始摘要信息 |
|
点击此处可从《计算机工程》下载全文 |
|
