Supercharge Your Innovation With Domain-Expert AI Agents!

Executable file processing method and device

A technology for executing files and processing methods, which is applied in the Internet field and can solve problems such as ineffective classification of executable files

Active Publication Date: 2013-01-02
三六零数字安全科技集团有限公司
View PDF2 Cites 10 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0013] The present invention provides an executable file processing method and device to solve the problem that the classification method adopted in the prior art cannot effectively classify executable files

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Executable file processing method and device
  • Executable file processing method and device
  • Executable file processing method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0072] An embodiment of the present invention provides an executable file processing method, such as figure 1 shown, including:

[0073] Step S101, based on the file offset of the entry point of the executable file, search for the entry point of the executable file;

[0074] Step S102, based on the preset number of analysis steps X, analyze the instructions after the entry point in turn, obtain the opcodes of X instructions after the entry point of the executable file, and obtain an opcode group;

[0075] In this step, the preset number of analysis steps X=2 n , n is a positive integer; preferably, n is 2 or 4, that is, the number of analysis steps X is 4 or 16.

[0076] In this step, the obtained opcode group consists of the first byte of each opcode corresponding to the X instructions.

[0077] In this step, when the opcode satisfying the number of analysis steps X cannot be obtained, when forming an opcode group, the remaining bits are set to be empty; or, the currently ...

Embodiment 2

[0100] The embodiment of the present invention provides an executable file processing method. The implementation principle of this embodiment is the same as that of Embodiment 1, and it is a further detailed discussion of the technical solution described in Embodiment 1. This embodiment adopts F16 (F4) technology, specifically Involves the following:

[0101] Step 1, analyze the executable file structure and find the file offset of the entry point;

[0102] Step 2, using the disassembly engine to sequentially analyze the entry point instructions, and obtain from the disassembly engine: the length of the instruction, the instruction opcode and the instruction type;

[0103] Step 3, create an instruction stream stack to assist in the analysis of the instruction stream;

[0104] Step 4, according to the command type, perform the following actions:

[0105] Step 41, judging whether the currently analyzed instruction is a Transfer instruction, if not, execute step 42;

[0106] I...

Embodiment 3

[0133] An embodiment of the present invention provides an executable file processing device, such as image 3 As shown, it includes: an entry point search module 310, an instruction analysis module 320 and a classification processing module 330;

[0134] The entry point search module 310 is configured to search for the entry point of the executable file based on the file offset of the entry point of the executable file;

[0135] The instruction analysis module 320 is used to analyze the instructions after the entry point sequentially based on the preset number of analysis steps X, obtain the opcodes of X instructions after the entry point of the executable file, and obtain the opcode group ;

[0136] The classification processing module 330 is configured to use the opcode group as a classification condition to perform classification processing on each of the executable files. Wherein, the classification module 340 specifically classifies the executable files of the same opco...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an executable file processing method and an executable file processing device. The method comprises the following steps of searching a file inlet point based on file excursion at an executable file inlet point and establishing an instruction flow; sequentially analyzing each instruction behind the inlet point by taking a preset number X of analysis steps as a reference, and acquiring operating codes opcode of X instructions behind the executable file inlet point to obtain an opcode group; and classifying all the executable files by taking the opcode group as a classification condition. The device comprises an inlet point searching module, an instruction analyzing module and a classification processing module. By the method and the device, a technology for classifying inner features of the executable files is high in interference resistance; and a phenomenon that the files cannot be classified is avoided. Furthermore, the classification technology has the advantages of high classification speed, good classification effect and the like; and a large number of executable files can be classified.

Description

technical field [0001] The invention relates to the technical field of the Internet, in particular to an executable file processing method and device. Background technique [0002] With the development of the Internet, the number of Internet users has increased greatly, and the situation of Internet security has become more and more severe. One of the main threats to Internet security comes from the spread of Trojan horse viruses. Trojan horse viruses mainly use executable files as carriers, so the classification of massive executable files is very meaningful for the identification of Trojan horse viruses. [0003] For a large number of executable files, virus analysts need an effective method to classify them. Analyzing an executable file can represent files of the same type, so that the analysis of a large number of executable files can be completed. [0004] Current methods of classifying executables include: [0005] 1. Executable file external feature classification ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F9/30G06F17/30G06F21/00
Inventor 周辉徐传宇李智鹏
Owner 三六零数字安全科技集团有限公司
Features
  • R&D
  • Intellectual Property
  • Life Sciences
  • Materials
  • Tech Scout
Why Patsnap Eureka
  • Unparalleled Data Quality
  • Higher Quality Content
  • 60% Fewer Hallucinations
Social media
Patsnap Eureka Blog
Learn More

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2025 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com