Method for recognizing malicious codes in host software after infection by malware

A malicious code and malicious software technology, applied in the identification field of malicious code injected into host software after being infected, can solve problems such as inability to directly call functions and difficulty in knowing the logical address of the import table.

Inactive Publication Date: 2016-08-17
HENAN POLYTECHNIC UNIV
View PDF3 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In terms of calling system functions, the original code will directly fill in the relevant functions in the corresponding dynamic link library into the import table during compilation, and the functions in the import table can be directly called through the call instruction; while the injected code is difficult to know in advance The logical address of the functions in the import table, so these functions cannot be called directly

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for recognizing malicious codes in host software after infection by malware

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] according to figure 1 The process introduced in , the specific implementation method is 5 steps:

[0027] Step 1. The recursive descent disassembly method obtains the disassembly code of the host software. The method of recursive descent is to disassemble the software according to the control flow executed by the machine code in the binary software. During the disassembly process, some functions with complete structure and the import table functions defined by the system can be identified.

[0028] Step 2. Determine breakpoints between code sequences based on references. According to the jump instructions and call instructions in the disassembled code, determine where code references and data references occur, and where they are referenced, and these locations can be used as breakpoints. Specifically, the instructions whose operators are "jmp", "call" and "retn" must be able to cause the transfer of control flow, and an instruction after these instructions is used as ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

A method for recognizing malicious codes in host software after infection by malware comprises steps as follows: firstly, disassembling codes of the host software are acquired with a recursive descent disassembling method, wherein disassembling codes corresponding to a machine instruction, various citation information in the codes and import table function information are required to be acquired; then, breaking points among code sequences are determined according to the citation condition, and a code sequence between two breaking points forms a code block; then, merging is performed according to the relationship of adjacent code blocks; the longest code block sequence which doesn't employ an import table function is sought according to the import table function use condition; finally, a starting software block and an ending software block of malicious codes are determined according to the calling relation between the malicious codes and host software codes, and accordingly, a required malicious code sequence is obtained. The method can be taken as a universal method for recognizing malicious codes in the host software, and specific code position information is provided for further restoration of the software.

Description

technical field [0001] The invention belongs to a method for identifying computer malicious codes, in particular to a method for identifying malicious codes injected into infected host software. Background technique [0002] Under the Windows platform, many malware inject valid code into normal files through infection techniques. Malware will inject some files in batches through infection techniques. For example, some WIN32 computer viruses will traverse files in the current directory or the system directory, and inject malicious codes into all PE files that meet the infection conditions; some malware will Infect some key or commonly used system files, such as explorer.exe of Windows system, commonly used .dll files, greatly increasing the chance of malicious code being executed. It would be very expensive to detect all these files and handle them correctly. [0003] For most of the executable files in PE (Portable Executables) format under the Windows platform, the system...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 王岩赵宗渠智慧来刘本仓
Owner HENAN POLYTECHNIC UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap