General automated shelling engine and method

An engine and component technology, applied in the field of general automation unpacking engine, can solve problems such as inability to accurately determine the type of the original binary program, inability to decompress the original binary program, and heavy operating load, etc., to achieve fast simulation execution, small load, and enhanced detection effect of ability

An engine and component technology, applied in the field of general automation unpacking engine, can solve problems such as inability to accurately determine the type of the original binary program, inability to decompress the original binary program, and heavy operating load, etc., to achieve fast simulation execution, small load, and enhanced detection effect of ability

CN101154259AInactive Publication Date: 2008-04-02UNIV OF ELECTRONICS SCI & TECH OF CHINA
0 Cites 27 Cited by

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • General automated shelling engine and method
  • General automated shelling engine and method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0025] In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings.

[0026] First, the general automatic unpacking engine will be initialized, and the corresponding virtual execution components, disassembly components, unpacking monitoring components and program reconstruction components will be loaded. Start the target binary packer in debug mode, and then monitor and analyze the execution of each instruction of the binary program. Obtaining the assembly instructions of the target binary program instruction flow through the disassembly component will provide code instructions that are easy to analyze. Conditions are provided for subsequent code slices by determining control flow transfer instructions in the target binary program instruction stream. The virtual execution unit slices and generates corresponding basic blocks accordi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a general automatic shelling engine and a method for computer binary shell applying program. The system consists of a disassembling unit, a virtual execution unit, a shelling monitoring unit and a program restructuring unit. The method is that: an object program is activated in a debugging mode, the disassembling unit is used for acquiring the assembler instruction of the object program, the virtual execution unit slices and generates a corresponding basic block and executes the instruction virtually, the shelling monitoring unit detects the memory writing behavior of the object program and records all memory writing regions, the shelling monitoring unit also monitors the behavior of an object program control flow jumping to a new memory writing region and accordingly judges that the shelling process ends, and the program restructuring unit is used for collecting data of all new memory writing regions and generating an original binary program through techniques such as RAM dump, input list restructuring. The invention is suitable for quick and general shelling of an unknown shell applying program and auxiliary condition code detection method without the feature of the shell applying program and with little running load.

Description

technical field [0001] The invention relates to a general automatic unpacking engine and method for packing binary programs. The invention is used for dynamic fine-grained automatic analysis of known and unknown binary packing programs, and assists professional security personnel in analyzing and detecting characteristic codes. Background technique [0002] At present, among all kinds of malicious programs circulating on the Internet, more than 90% of the surveys have adopted the method of packing to resist the detection of traditional signature scanning. Both are generated through polymorphism / deformation packing. The packer is to compress, encrypt, and anti-track the original binary program to prevent normal detection. Because signature scanning belongs to misuse detection, it has a very high accuracy rate, but because it requires a large number of samples, this method has a relatively large false negative rate, because different packers are used to detect a binary progr...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
02 Apr 2008
Publication
CN101154259A
IPC
G06F21/22; G06F21/52
Inventors
ζ›Ήθ·ƒ; ζŽζ―…θΆ