Unlock instant, AI-driven research and patent intelligence for your innovation.

Memory loading method based on PE file transformation

A memory loading and file technology, applied in the field of network security, can solve problems such as enhancement and inability to deal with unknown memory loading methods

Active Publication Date: 2021-04-09
SICHUAN UNIV
View PDF8 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] The purpose of this invention is to provide a memory loading method based on PE file transformation, which is used to alleviate the problem that the existing detection mechanism cannot deal with unknown memory loading methods, and to enhance Existing malicious code detection mechanism and machine learning model provide reference basis

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Memory loading method based on PE file transformation
  • Memory loading method based on PE file transformation
  • Memory loading method based on PE file transformation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0025] The invention proposes a memory loading method based on PE file transformation, which can load target PE files into memory and bypass the detection of some security products. Such as figure 1 As shown, the process of transforming the host file: first read the target file and the host file into the memory, and then perform an initialization check on both, this step is mainly to check whether both are PE files; then use the LZMA algorithm to perform Compression; then read the data of the PE loader, that is, the Shellcode, into the memory, and fill the PARAM_PE_LOADER structure. The PARAM_PE_LOADER structure here provides external parameters for the PE loader in the form of Shellcode. The parameters include ①The size of the compressed target program, ②The target program Original size, ③The total size of the PE loader and other parameters, among which ①②Guide the decompression of the target program, and other parameters ensure the normal operation of the PE loader; then ass...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a memory loading method based on PE file transformation. The memory loading method comprises the steps: compressing a target PE file; developing a PE loader; splicing and encrypting the compressed target PE file and the PE loader, and encoding the encrypted data into a picture as a resource to be inserted into a host PE file; developing a code loader for extracting bitmap resources, decrypting and executing the PE loader, and inserting the PE loader into the code segment of the host PE file; and hijacking the control flow near the OEP of the host PE file to obtain an execution right, releasing the final host PE file and running the final host PE file. According to the method, the host PE file is transformed, the target PE file is compressed, spliced and encrypted with the PE loader and then encoded into picture resources to be inserted into the host PE file, then the resources are extracted, decrypted and executed by the code loader, and the capacity in bypassing a detection mechanism is improved through technologies such as entry point obscuring and anti-sandbox detection.

Description

technical field [0001] The invention relates to the technical field of network security, specifically, a memory loading method based on PE file modification. Background technique [0002] With the rapid development of computer and Internet technology, information has become an important resource in today's society. While even the most advanced systems can be compromised by malicious code, the longer the malware persists in the target system, the more information it collects and the more damage and damage it can cause to the target. Memory loading is one of the key techniques for malware to achieve concealment. Unlike traditional malware loading techniques, malware loaded using memory does not have to reside on the hard disk, but utilizes conditions or system components provided by some legitimate, trusted processes to run itself to evade detection. Their stealthy nature presents a great challenge to malicious code analysts. Due to the volatile nature of memory, the traces...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06F21/52
CPCG06F21/566G06F21/52Y02D10/00
Inventor 张磊王劭华刘亮
Owner SICHUAN UNIV