68 results about "Portable Executable" patented technology

An import address table (IAT) and dynamic linked libraries (DLLs) security mender process is configured to store nominal IAT table entries and in-process binary images, from either a priori data and/or from computed values. Particular IAT table entries and in-process binary images are fetched for comparison with expected values. These particular IAT table entries and/or in-process binary images are then overwritten with nominal values for the IAT table entries and in-process binary images. The IAT-DLL security mender runs in parallel with the operating system and has access to its IAT and inline code in system memory.

The invention discloses a program validity verification method and a system. The program validity verification method includes steps of acquiring running notices and read-write operation notices of executable documents of programs, calculating verification values of code segments of the executable documents of the programs according to the preset algorithm, comparing verification values of code segments in the PE (portable executable) header of the executable documents stored in the programs in advance with the calculated verification values of the code segments and storing the comparison results; and judging whether the comparison results of the verification values of the code segments of the current program or not during read-write operation of the program, is so, the current program is valid, or if not, the current program is invalid. The invention further provides a program validity verification system. According to the technical scheme, even when more programs of validity verification are required and document operation controls of running programs of users are required to be responded in real time, running speed of the operating system cannot be affected seriously and using experiences of the users are improved greatly.

An improved approach for classifying portable executable files as malicious (malware) or benign (whiteware) is disclosed. The invention classifies portable executable files as malware or whiteware after using Bayes Theorem to evaluate each observable feature of each file with respect to other observable features of the same portable executable file with reference to statistical information gathered from repositories of known whiteware and malware files.

A portable executable (PE) is invoked through a platform-independent interface by processing an export table in the PE to obtain the function names used in the PE. A resources table in the PE is processed to obtain a user interface used in the PE. A platform-independent user interface is generated based on the user interface used in the PE. At least one of the functions used in the PE is invoked through the platform-independent user interface.

The invention discloses a software protection method based on API (Application Program Interface) security attribute hiding and attack threat monitoring. The software protection method comprises the following steps: obtaining the original input information record chart of a file to be protected, extracting the execution control flow graph of the file, extracting an API calling point, extracting an API parameter passing code block, extracting an API returned value decryption point, dumping a DLL (Dynamic Link Library), calculating a new API entry address, constructing a springboard function block, inserting an exception instruction in the returned value decryption point, constructing a node, generating a node library, deploying a node network, constructing a node background, constructing a returned value decryption processing function, and reconstructing a PE (Portable Executable) file. From internal and external aspects, software is protected so as to analyze the function of API boundary information in a reverse analysis process from an angle of the reverse engineering of the attackers, the API security attribute which needs to be hidden and a detection node library are put in a program new node, and a new node entry is subjected to encryption processing to further prevent the attackers from carrying out reverse analysis on the protected PE file.

According to the invention, a first executable environment is provided. The first executable environment is for execution within an operating system environment of a host computer system. The first executable environment is not an emulator for emulating any of another processor and another operating system. A software application is provided for installation and execution within the operating system environment. The software application is for fixed installation and not for installation in a portable fashion for being ported from one host computer system to another. The software application is then installed within the first executable environment, the installed software application installed within a removable peripheral memory storage device for execution within the first executable environment.

The invention discloses a method and a system for realizing malicious code marking. The method comprises the following steps of: processing a PE (Portable Executable) file of a malicious code to obtain an information abstract signature, datum dimension and vein features of the malicious code; enabling the vein features belonging to the same malicious code family to generate a corresponding vein feature set according to the datum dimension and the information abstract signature; generating a first clustering cluster according to the vein feature set; merging the first clustering cluster to generate a second clustering cluster; and combining the information abstract signature and the malicious code family deep naming to perform deep marking on the second clustering cluster. The malicious code is subjected to datum dimension and deep marking; the information abstract signature and the malicious code family deep naming are used; the marking method of each malicious code family is specified; and the accuracy and the universality of the malicious code marking are improved.

The invention provides a method for making a bootable USB storage device of Windows XP operation system, which provides external bootup, can be disabled and removed after booting, and wherein the operation mode is command line. In one embodiment, the method comprises: analyzing the portable executable file in Windows XP and retrieving the image of boot disk in the PE file; analyzing the image of boot disk and retrieving the system files required by the booting process; and making the boot disk.

The invention discloses a malicious code sample extraction method and a system based on a document type bug. The method comprises the steps that a shellcode in a document is positioned; the positioned shellcode is extracted, and then converted into a PE (Portable Executable) file; the PE file is operated; whether the PE file releases a file is judged; if so, the released file serves as a malicious code sample to be extracted; if not, whether the PE file downloads a file is judged; if so, the downloaded file serves as a malicious code sample to be extracted; and if not, malicious code sample extraction on the document is abandoned. Compared with the traditional culture method, the method extracts more accurately, quickly and conveniently.

The present invention relates to Internet and communication technologies, and discloses a method and apparatus for clustering portable executable (PE) files. The method comprises: extracting PE file characteristics from a PE file; generating a PE file identifier for the PE file based on the PE file characteristics; and clustering the PE file base on the PE file identifier. The apparatus comprises an extraction module, a generation module, and a clustering module. In accordance with embodiments of the present invention, a PE file identifier is generated for the PE file based on PE file characteristics extracted from the PE file, and the PE files are clustered based on the PE file identifier. Thus, random PE files are clustered into ordered classes, and the number of PE files to be processed by the antivirus clients and servers are reduced, which reduces storage costs, improves matching efficiency and the ability to detect and combat PE virus variants.

The invention belongs to the field of the information security technology, and particularly relates to an identification method and system of a malicious sample type on the basis of characteristics. The method comprises the following steps: firstly, identifying the format of a sample to identity a PE (Portable Executable) sample, an OFFICE document sample or an EML (Equal Matrix Language) mail sample; then, extracting the homology characteristics of the sample, comparing the homology characteristics with a homology characteristic library, and if characteristics are matched, updating the MD5 (Message Digest 5) value of the sample to the homology characteristic library; and if the characteristics are not matched, after the characteristics of the sample and the MD5 value are subjected to whitelist filtering, adding the characteristics and the MD5 value of the sample into the homology characteristic library. The method prevents the samples from being isolated, and the samples have the homology. In addition, after the samples have the homology, the common attack event of the samples with the homologous attribute can be conveniently found. Meanwhile, homology characteristic analysis assists in detecting unknown malicious codes.

A Windows™ process loader is emulated for dynamic TLS data allocation during respective application runtime. A total required TLS data block size is initially calculated and corresponding data block duplicates are created preferably after initializing of the application. An event notification system such as a hooking system intercepts DLL loading and freeing activity as well as thread creation and exiting and provides event notifications for dynamic allocation of corresponding TLS data block duplicates.

The invention discloses a method for realizing Wine construction tool transplanting on an ARM (Advanced RISC Machines) processor, which comprises the following steps of: (1) modifying a configuration tool of Wine to replace a gcc (GNU Compiler Collection) compiler and library under an X86 platform by a cross compiler of arm-linux and a library file of arm-linux; (2) modifying a construction tool of Wine so that a windows target application program generates PE (Portable Executable) format mapping corresponding to the ARM processor; (3) modifying other codes which are relevant to a CPU (Central Processing Unit) in the Wine so that all the codes of Wine are adapted to the ARM processor; and (4) installing the modified Wine source code on the ARM processor. The method is used for realizing the transplanting of Wine and ensuring that the Wine can run on an OMS (Open Mobile System) intelligent mobile phone.

The invention is suitable for the field of the Internets and provides a method for accelerating the starting of an application program. The method comprises the following steps: receiving and analyzing the transplantable actuator file of the application program and the symbol file of the application program, and inserting identifiers capable of being used for recording the data code running information of the application program in the application program according to the symbol file; running the application program in which identifier information is inserted, and obtaining the data code running information that the identifiers record; changing the position information of data codes stored in the transplantable actuator file according to the recorded running information of the data codes. The memory position of the data codes is correspondingly changed through recording the running information of program codes, so that when the application program runs, the I/O skip times of a hard disk can be effectively reduced, and the efficiency of reading the data of the hard disk is improved. Therefore, the purpose of raising the starting speed of the application program is achieved.

The invention provides a Trojan horse decision system based on dynamic code sequence tracking analysis. The system comprises an interaction module, a decision module, a virtual analysis module, a malicious intention decision sub-module, an encrypting/decrypting module and a report generating and storing module. The interaction module is a carrier of the interaction between a user and a server; the decision module is used for deciding whether a program uploaded by the user is a portable executable (PE) program or not, and whether the program is analyzed or not; the virtual analysis module is used for statically and dynamically analyzing behavior operation of suspicious programs and deciding the malicious intentions and classifications of the programs; the malicious intention decision sub-module is used for completing the decision of the malicious intention of the programs to be detected; the encrypting/decrypting module is used for encrypting/decrypting the files and data transmitted between the virtual analysis module and a server system; the report generating and storing module is used for generating an analysis report and storing the analysis report data and analyzed suspicious program samples. The Trojan horse decision system provided by the invention realizes the efficient detection, and has an effect of recognizing new varied Trojan horses.

The invention provides a virus detection method, an apparatus, a device and a medium of a portable executable file. The method comprises the following steps: extracting static features of known viruses and normal programs by using a static feature extraction method to form a feature set, wherein, the static features include: PE file attribute features and instruction sequence features; The featureset is used as training set, and multiple groups of training data are randomly selected from the training set to train the detection model. The static feature extraction method is used to extract thestatic feature of the document to be checked. The static characteristics of the documents to be inspected are inputted into the detection model after training, and the detection results output by thedetection model after training are obtained. The invention solves the problem that the traditional virus detection has hysteresis, and realizes the technical effect that the new virus or the virus variant can be detected immediately.

A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.

The present invention discloses a device and method for detecting a packed PE (portable executable) file. In the device and method for detecting a packed PE file, information for detecting packing are extracted by analyzing the header of a target file, and a record containing characteristic values shown only in a packed PE file is created by using the extracted information. The packing of the target file is detected by calculating the similarity with a PE file which is not packed based on the created record and comparing it with a derived threshold value. Therefore, a packed PE file can be detected even if it is packed by a packing method which is not well-known.

The embodiment of the invention discloses a monitoring method, a device, an electronic device and a storage medium of an application program. The method comprises the following steps: determining a monitored target function address from an input address table IAT of a portable executable PE file corresponding to an application program running; and determining a target function address from an input address table IAT of the portable executable PE file; replacing the monitored target function address in the IAT with a predetermined free memory address belonging to the system module; calling a monitoring function through an idle memory address belonging to the system module; monitoring the application program based on the monitoring function; wherein the monitoring function is written in advance based on the monitoring task. By adopting the technical scheme, the purpose of avoiding detecting the IAT is realized, and the success rate of monitoring the application program is improved.