PE (portable executable) file pack detection method based on static characteristics

A technology of static features and detection methods, applied in the fields of instruments, electrical digital data processing, platform integrity maintenance, etc., can solve the problems of single judgment index and low accuracy of detection rules, and achieve high accuracy and good packing detection ability. , the effect of enriching file characteristics

Active Publication Date: 2011-04-20
SICHUAN UNIV
View PDF0 Cites 33 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The main problem faced by the above method is: because it is not known in advance whether the executable file to be detected has been packed, all executable files to be detected have to be processed by a general-purpo

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • PE (portable executable) file pack detection method based on static characteristics
  • PE (portable executable) file pack detection method based on static characteristics
  • PE (portable executable) file pack detection method based on static characteristics

Examples

Experimental program
Comparison scheme
Effect test

Example Embodiment

[0034] When the universal unpacking tool detects malware, because it is not known in advance whether the PE file to be detected is packed, all the PE files to be detected have to be actually executed to try to unpack them before being detected by the anti-virus software. shell. This introduces a large amount of calculation and time-consuming problems. To solve this problem, the present invention proposes to detect whether the target PE file is shelled before it is actually executed to unpack it. Only PE files detected as packed are handed over to the general unpacking tool for unpacking processing; and PE files detected as unpacked are directly handed over to the anti-virus software for detection, without the need for processing by the general unpacking tool.

[0035] Virus producers often rewrite the packer tool to produce new packer tools, so that traditional signature-based packer detection tools have the disadvantage of a high false negative rate. Aiming at this problem, th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a PE (portable executable) file pack detection method based on static characteristics. Before a target PE file is practically unpacked, a method of the static analysis on characteristics of the PE file is used for detecting whether the PE file is packed. Only the packed PE file needs to be handed to a general unpacking tool to unpack, and the unpacked codes are subject to virus detection by anti-virus software. Because the process that the practically unpacked PE file is processed by the general unpacking tool, the PE file pack detection process based on the static characteristics has the advantages of short time consumption, low false report rate and low failed report rate, thus improving the virus detection process and saving processing time.

Description

technical field [0001] The invention relates to the technical field of file security, in particular to a novel and practical PE file packing detection method based on static features. Background technique [0002] As a result of the competition between viruses and anti-virus programs, code obfuscation techniques are commonly used by virus programs. Polymorphic technology, deformation technology, packing and encryption technology have been proved to be effective technologies against traditional signature-based anti-virus software. Among these technologies, packing technology is the most widely used. Packing is to generate a new program P' given a program P, and the new program P' includes the encrypted program P and a decryption instruction. When P' executes, it first executes the decryption instruction to decrypt the program P, and then executes the decrypted program P. If the program P contains malicious code, signature-based anti-virus software may detect it. However, ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/00G06F21/56
Inventor 王俊峰刘达富黄敏桓佘春东
Owner SICHUAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap