API use action discovering and malice deciding method after confusion of multi-tier synergism

A technology of API call and judgment method, applied in the direction of platform integrity maintenance, program control design, instruments, etc., can solve problems such as difficulty in implementation and difficult analysis work for malicious code analysts, and achieve the effect of strong pertinence and fine granularity

Inactive Publication Date: 2009-02-04
THE PLA INFORMATION ENG UNIV
View PDF0 Cites 63 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, more and more malicious code writers use this technology to evade the detection of malicious code detection tools based on signature matching, which brings great difficulties to the analysis work of malicious code anal

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • API use action discovering and malice deciding method after confusion of multi-tier synergism
  • API use action discovering and malice deciding method after confusion of multi-tier synergism
  • API use action discovering and malice deciding method after confusion of multi-tier synergism

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0031] see Figure 1 ~ Figure 3 , the API call behavior discovery and malicious judgment method after layered collaboration obfuscation is specifically divided into three stages: binary code analysis stage A, API sequence generation stage B, and API sequence analysis stage C.

[0032] Binary Code Analysis Phase A:

[0033] The main work done at this stage is the preprocessing of the target binary files, and the modules involved include figure 1 Module 101 and Module 102 in .

[0034] The main work of the module 101 is to unpack the input binary code, including decryption and decompression of commonly used encryption algorithms and compression algorithms. The main work of module 102 is to complete the disassembly of the decrypted and decompressed binary program, and to construct the corresponding control flow graph CFG. Since the system may be oriented to an obfuscated executable program with malicious purposes, the module 102 uses an anti-obfuscation disassembly process wit...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a stratification synergic detection and judgment method for detecting the confused API call behavior and judging the maliciousness of the call behavior; the detection and judgment method includes three steps: firstly, the binary code for being analyzed is disassembled to establish the control flow graph (CFG) of the program; the known unconventional instruction or data sequence provided with the API function call capability and stored in the database DB1 is adopted to recognize the unconventional call behavior of the API function; secondly, the generation operation of the API sequence called by the target program is finished; the API function is recognized and recovered in the aspects of direct call and indirect call; finally, the extraction of the API sequence and the maliciousness judgment operation are finished; the extraction of the sequence is finished and based on the control flow graph (CFG) of the program; then the obtained sequence is normalized according to the format stored in the suspected API sequence database; the invention provides a stratification synergic detection and judgment method for detecting the confused API call behavior and judging the maliciousness of the call behavior, which has the advantages of wide recognition range, accurate recognition and high efficiency.

Description

(1) Technical field: [0001] The invention relates to a static analysis method for discovering API function calling behavior of obfuscated target executable code and judging its maliciousness, in particular to a method for discovering API calling behavior after obfuscation and judging its maliciousness through layered coordination. (two), background technology: [0002] Any program must achieve its purpose through behavior. No matter how ingeniously disguised a malicious program is, it always has some different and relatively special behaviors from benign programs, which we call suspicious behaviors. Whether it is executable malicious code in binary format, script virus or macro virus, they are all programs that need to call various functions provided by the operating system to achieve the purpose of propagating themselves and destroying the system. It is often not used in benign programs. Therefore, the call to suspicious functions can be regarded as one of the suspicious b...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/00G06F9/45G06F21/56
Inventor 赵荣彩付文庞建民张靖博张一驰王成岳峰
Owner THE PLA INFORMATION ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap