Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

PE (portable executable) file pack detection method based on static characteristics

A technology of static features and detection methods, applied in the fields of instruments, electrical digital data processing, platform integrity maintenance, etc., can solve the problems of single judgment index and low accuracy of detection rules, and achieve high accuracy and good packing detection ability. , the effect of enriching file characteristics

Active Publication Date: 2011-04-20
SICHUAN UNIV
View PDF0 Cites 33 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The main problem faced by the above method is: because it is not known in advance whether the executable file to be detected has been packed, all executable files to be detected have to be processed by a general-purpose unpacking tool before being detected by anti-virus software
The main disadvantage of this method is that the judgment index is single, and the detection rules obtained by using statistical methods may not have high accuracy

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • PE (portable executable) file pack detection method based on static characteristics
  • PE (portable executable) file pack detection method based on static characteristics
  • PE (portable executable) file pack detection method based on static characteristics

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0034] When the general-purpose unpacking tool detects malware, because it does not know in advance whether the PE file to be detected is packed, all PE files to be detected have to try to unpack them through actual execution before being detected by anti-virus software. shell. This introduces the problem of large amount of calculation and time-consuming. Aiming at this problem, the present invention proposes to detect whether the target PE file is packed or not before actually executing the target PE file to unpack it. Only PE files that are detected as packed are handed over to the general unpacking tool for unpacking processing; while PE files detected as unpacked are directly handed over to the anti-virus software for detection without being processed by the general unpacking tool.

[0035] Virus creators often generate new packer tools by rewriting packer tools, so that traditional signature-based packer detection tools have the disadvantage of a high false negative rate...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a PE (portable executable) file pack detection method based on static characteristics. Before a target PE file is practically unpacked, a method of the static analysis on characteristics of the PE file is used for detecting whether the PE file is packed. Only the packed PE file needs to be handed to a general unpacking tool to unpack, and the unpacked codes are subject to virus detection by anti-virus software. Because the process that the practically unpacked PE file is processed by the general unpacking tool, the PE file pack detection process based on the static characteristics has the advantages of short time consumption, low false report rate and low failed report rate, thus improving the virus detection process and saving processing time.

Description

technical field [0001] The invention relates to the technical field of file security, in particular to a novel and practical PE file packing detection method based on static features. Background technique [0002] As a result of the competition between viruses and anti-virus programs, code obfuscation techniques are commonly used by virus programs. Polymorphic technology, deformation technology, packing and encryption technology have been proved to be effective technologies against traditional signature-based anti-virus software. Among these technologies, packing technology is the most widely used. Packing is to generate a new program P' given a program P, and the new program P' includes the encrypted program P and a decryption instruction. When P' executes, it first executes the decryption instruction to decrypt the program P, and then executes the decrypted program P. If the program P contains malicious code, signature-based anti-virus software may detect it. However, ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/00G06F21/56
Inventor 王俊峰刘达富黄敏桓佘春东
Owner SICHUAN UNIV
Features
  • Generate Ideas
  • Intellectual Property
  • Life Sciences
  • Materials
  • Tech Scout
Why Patsnap Eureka
  • Unparalleled Data Quality
  • Higher Quality Content
  • 60% Fewer Hallucinations
Social media
Patsnap Eureka Blog
Learn More