Processing method and device for portable execute (PE) files

A processing method and a technology of a processing device, which are applied in the direction of electrical digital data processing, special data processing applications, instruments, etc., can solve the problems of not being able to distinguish whether a PE file is a malicious program or a virus file, and the inconvenience of classifying and clustering PE files. Achieve the effect of eliminating adverse effects, improving effect and accuracy, and simplifying the classification process

Active Publication Date: 2013-03-20
TENCENT TECH (SHENZHEN) CO LTD
View PDF2 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Since PE files contain a large number of library functions, and library functions are public functions, it is impossible to distinguish whether a PE file is a malicious program or a virus file. Therefore, the existence of library functions in PE files brings great difficulties to the classification and clustering of PE files. big inconvenience

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Processing method and device for portable execute (PE) files
  • Processing method and device for portable execute (PE) files

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0021] This embodiment provides a processing method for PE files, such as figure 1 As shown, the method includes:

[0022] Step 101, disassemble the PE file to obtain the function node of the PE file, and the function node divides the PE file into several function segments.

[0023] In this embodiment, the disassembly processing of the PE file is generally divided into: disassembling the branch call and disassembling the contents of the import table and the export table. As an embodiment of the present invention, the algorithm used in the disassembly can be is a recursive algorithm.

[0024] Among them, the specific process of disassembling the branch call is:

[0025] Starting from the function entry of the PE file, it is judged whether the function is a call instruction or a jump instruction;

[0026] If it is a call instruction or a jump instruction, then perform a corresponding function call or jump according to the call instruction or jump instruction, if the function ...

Embodiment 2

[0040] This embodiment provides a PE file processing device, such as figure 2 As shown, the device includes: a disassembly unit 2, a judging unit 3 and a stripping unit 4, wherein,

[0041] The disassembly unit 2 is used to disassemble the PE file to obtain a function node of the PE file, and the function node divides the PE file into several function segments;

[0042] Judgment unit 3, used to load the library function feature library, and successively judge whether each of the function segments is a library function according to the features in the library function feature library;

[0043] The removing unit 4 is configured to remove the function segment after judging that the function segment is a library function.

[0044] Further, the PE file processing device of this embodiment also includes:

[0045] The copying unit 1 is used to copy the PE file to be analyzed to obtain a copy of the PE file;

[0046] The classification unit 5 is configured to classify and cluster ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

An embodiment of the invention discloses a processing method and a device for portable execute (PE) files, relates to the field of program detection, can reduce influences of library functions on PE file classification and clustering, and improves accuracy of the classification and the clustering. The processing method for the PE files includes that disassembling process for the PE files is achieved to obtain function nodes of the PE files, and the function nodes divide the PE files into a plurality of function sections; a library function feature library is loaded, and whether the function sections are library functions is sequentially judged according to features in the library function feature library; and if the function sections are the library functions, the function sections are eliminated.

Description

technical field [0001] The invention relates to the field of program detection, in particular to a PE file processing method and device. Background technique [0002] PE (Portable Execute) files are program files on the Microsoft Windows operating system. Common PE files include EXE, DLL, OCX, SYS, COM and other formats. In addition, PE files can also be indirectly Executable files, such as DLL format files. [0003] In the process of finding malicious programs and virus files, PE files need to be classified and clustered, that is, PE files with the same malicious program characteristics are grouped together, and PE files without malicious program characteristics are grouped together. Since PE files contain a large number of library functions, and library functions are public functions, it is impossible to distinguish whether a PE file is a malicious program or a virus file. Therefore, the existence of library functions in PE files brings great difficulties to the classific...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F17/30
Inventor 高小明
Owner TENCENT TECH (SHENZHEN) CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap