Method and device for detecting malicious code contained in non-executable file

A technique for malicious code, execution of files

Active Publication Date: 2013-01-23
厦门市美亚柏科信息安全研究所有限公司
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The traditional method of scanning and killing based on signatures can easily be bypassed by modifying the signatures
The behavior-based detection method will also fail when the vulnerability has been fixed or the system environment on which the vulnerability depends is not satisfied and cannot be triggered.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting malicious code contained in non-executable file
  • Method and device for detecting malicious code contained in non-executable file
  • Method and device for detecting malicious code contained in non-executable file

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0039] Embodiment, referring to the accompanying drawings, a detection method containing malicious code in a non-executable file of the present invention, comprising the steps:

[0040] Open the checked file, read and decode the payload data into memory;

[0041] From the beginning of the data, check whether the data contains valid CPU instruction code blocks. If a certain amount of data at the current position contains valid CPU instruction code blocks, the file is considered to contain malicious code;

[0042] If the position data does not contain a valid CPU instruction code block, then move to the next data position to continue checking;

[0043] If no valid CPU instruction code block is found after checking all the data, it is considered that the file does not contain malicious code.

[0044] figure 1 It is a flow chart of the detection steps of the present invention;

[0045]First, read the file into the memory and decode it; then, analyze whether there is a valid ins...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and device for detecting a malicious code contained in a non-executable file. The method comprises the following steps: opening a file to be checked, and reading and decoding effective content data to a memory; starting to check the data from the very beginning, and determining that the file contains a malicious code if a certain amount of data in the current position can conform to the form of an effective CPU (Central Processing Unit) instruction code block; if the data in the position does not conform to the form of the effective CPU instruction code block,moving to the next data position, and checking; and if the effective CPU instruction code block is not found after checking all the data, determining that the file does not contain a malicious code. The invention judges whether a non-executable file is injected with a malicious code by searching the non-executable file for an executable instruction code block. Compared with other detection methods, the detection method provided by the invention has higher recognition rate, can not be easily modified and bypassed by anti-antivirus and can find out the malicious code bound in a non-executable file using unknown vulnerabilities or vulnerabilities which can not be triggered, thereby being capable of acting as an effective complement to the existing detection methods.

Description

technical field [0001] The invention relates to a method for detecting computer security, in particular to a method for detecting malicious code contained in a non-executable file and a device thereof. Background technique [0002] The development of Internet security technology has greatly reduced direct remote attacks. And by sending some files containing malicious codes, the indirect attack behavior of tricking the attack target to open for intrusion has become a main form of attack. Both network and computer security have become increasingly serious problems. Due to the development of existing technologies and the improvement of network user awareness, it is basically impossible to directly use executable files containing malicious codes to conduct indirect attacks. However, in computers, systems and various application software, there are unknown security vulnerabilities, such as unknown overflow vulnerabilities, etc. These vulnerabilities often allow malicious codes ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/60G06F21/56
Inventor 郭小春张永光吴鸿伟
Owner 厦门市美亚柏科信息安全研究所有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap