TWI514188B - A system for detecting packed program and method thereof - Google Patents

A system for detecting packed program and method thereof Download PDF

Info

Publication number
TWI514188B
TWI514188B TW103142960A TW103142960A TWI514188B TW I514188 B TWI514188 B TW I514188B TW 103142960 A TW103142960 A TW 103142960A TW 103142960 A TW103142960 A TW 103142960A TW I514188 B TWI514188 B TW I514188B
Authority
TW
Taiwan
Prior art keywords
file
packer
packed
module
language code
Prior art date
Application number
TW103142960A
Other languages
Chinese (zh)
Other versions
TW201621740A (en
Inventor
Shi Jinn Horng
Ting Han Lin
Original Assignee
Univ Nat Taiwan Science Tech
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Nat Taiwan Science Tech filed Critical Univ Nat Taiwan Science Tech
Priority to TW103142960A priority Critical patent/TWI514188B/en
Application granted granted Critical
Publication of TWI514188B publication Critical patent/TWI514188B/en
Publication of TW201621740A publication Critical patent/TW201621740A/en

Links

Landscapes

  • Debugging And Monitoring (AREA)

Description

加殼程式偵測系統及其方法Packing program detection system and method thereof

本發明係關於一種程式偵測系統及其方法,尤其係關於一種加殼程式偵測系統及其方法。The present invention relates to a program detection system and method thereof, and more particularly to a package program detection system and method thereof.

由於資訊系統快速地發展,相對地惡意程式攻擊的數量也隨之增加。因此,防毒軟體公司需要常常更新病毒引擎的特徵碼,才能讓防毒軟體辨識出惡意程式。As information systems develop rapidly, the number of relatively malicious attacks increases. Therefore, anti-virus software companies need to constantly update the signature of the virus engine in order for the anti-virus software to recognize malicious programs.

而近幾年常見的趨勢為駭客在撰寫惡意程式時採用一種混淆防毒軟體偵測的方法即為『加殼』。在軟體工程中,『加殼』是一種軟體壓縮加密技術且已很普遍地被使用。軟體工程師通常用此方法保護其開發之軟體與壓縮檔案大小,避免所開發之軟體藉由逆向工程的方法所破解或修改。The common trend in recent years is that hackers use a method of confusing anti-virus software detection when writing malicious programs. In software engineering, "packing" is a software compression encryption technology and has been widely used. Software engineers usually use this method to protect the software and compressed file size they develop, and to avoid the software being developed being cracked or modified by reverse engineering.

然而,此種『加殼』方法之軟體保護機制卻被駭客用來保護其開發之惡意程式及偽裝其惡意行為。因此透過將惡意程式進行加殼的方法能讓惡意程式成功地躲避防毒軟體的偵測,進而導致惡意程式的辨識能力降低。由於惡意程式加殼方法威脅變化多端,因此靜態之分析是有其需要性,唯靜態之分析的缺點為無法正確知道惡意程式的行為。However, the software protection mechanism of this "packing" method has been used by hackers to protect malicious programs developed by them and to disguise their malicious behavior. Therefore, by encrypting the malicious program, the malicious program can successfully avoid the detection of the anti-virus software, thereby reducing the ability of the malicious program to recognize. Because the malware shelling method threatens to change, static analysis has its own needs. The only drawback of static analysis is that it cannot correctly understand the behavior of malicious programs.

為了解決上述習知技術之問題,本發明提供一種加殼程式偵測系統及其方法。本發明即是藉由逆向工程及動態分析的技術來辨識惡意程式檔案是否加殼之方法,以互補靜態分析其可能分析失誤之處。In order to solve the above problems of the prior art, the present invention provides a packer detection system and method thereof. The invention is a method for recognizing whether a malicious program file is packed by reverse engineering and dynamic analysis technology, and complementing static analysis to analyze possible errors.

首先,本發明提供一種加殼程式偵測方法,用以偵測一檔案,其包含有以下步驟:反組譯檔案,並擷取已反組譯之檔案之一組合語言碼;擷取組合語言碼中自程式進入點起一預定行數之一分析組合語言碼;轉化分析組合語言碼以產生一支援向量機特徵碼;以及根據支援向量機特徵碼判斷檔案之一加殼屬性,其中具有加殼屬性之檔案包含有一已加殼檔案以及一未加殼檔案。Firstly, the present invention provides a method for detecting a packaged program for detecting a file, which comprises the steps of: translating a file and extracting a combined language code of a file that has been reversed; extracting a combined language One of the predetermined number of lines in the code from the program entry point to analyze the combined language code; the conversion analysis combined language code to generate a support vector machine feature code; and the support vector machine feature code to determine one of the archived attributes of the file, wherein The shell attribute file contains a packed file and an unpacked file.

上述之預定行數可選擇性地為該組合語言碼中自程式進入點起第一行至第十五行。The predetermined number of lines may be selected from the first line to the fifteenth line from the program entry point in the combined language code.

本發明之加殼程式偵測方法可選擇性地另包含有以下步驟:若判斷檔案為已加殼檔案,則分析已加殼檔案之一加殼器類別。加殼器類別可選擇性地包含有ASPack、AsProtect、EXE32Pack、FSG、PEBundle、PECompact、PEX、UPX、yoda及WWPack32的其中至少一種。The method for detecting the packaged program of the present invention optionally further includes the following steps: if the file is judged to be a packed file, then one of the packer categories of the packed file is analyzed. The packer class may optionally include at least one of ASPack, AsProtect, EXE32Pack, FSG, PEBundle, PECompact, PEX, UPX, yoda, and WWPack32.

本發明之加殼程式偵測方法可選擇性地另包含有以下步驟:將具有加殼屬性之檔案儲存至一訓練集資料庫。The method for detecting a package program of the present invention optionally further includes the steps of: storing the file having the attribute of the package to a training set database.

再者,本發明另提供一種加殼程式偵測系統,用以偵測一檔案,其包含有一反組譯模組、一擷取模組、一轉換模組以及一判斷模組。反組譯模組用以反組譯檔案,並擷取已反組譯之檔案之一組合語言碼。擷取模組連接於反組譯模組,用以擷取組合語言碼中自程式進入點起一預定 行數之一分析組合語言碼。轉化模組連接於擷取模組,用以轉化分析組合語言碼以產生一支援向量機特徵碼。判斷模組連接於轉化模組,用以根據支援向量機特徵碼判斷檔案之一加殼屬性,其中具有加殼屬性之檔案包含有已加殼檔案以及未加殼檔案。Furthermore, the present invention further provides a packer detection system for detecting a file, comprising a reverse translation module, a capture module, a conversion module, and a determination module. The anti-translation module is used to reverse the translation of the file and retrieve the combined language code of one of the files that have been reversed. The capture module is connected to the reverse translation module for capturing a predetermined entry point in the combined language code One of the number of lines analyzes the combined language code. The conversion module is coupled to the capture module for converting the analysis combined language code to generate a support vector machine signature. The judging module is connected to the conversion module for judging one of the archived attributes of the file according to the feature code of the support vector machine, wherein the file with the packed attribute includes the packed file and the unpacked file.

其中,該預定行數可選擇性地為該組合語言碼中自程式進入點起第一行至第十五行。The predetermined number of rows may be selected from the first row to the fifteenth row from the program entry point in the combined language code.

本發明之加殼程式偵測系統可選擇性地另包含一分類模組。分類模組連接於判斷模組,用以當檔案為已加殼檔案時,分析已加殼檔案之一加殼器類別。其中加殼器類別可選擇性地包含有ASPack、AsProtect、EXE32Pack、FSG、PEBundle、PECompact、PEX、UPX、yoda及WWPack32的其中至少一種。The packer detection system of the present invention can optionally further comprise a sorting module. The classification module is connected to the judgment module for analyzing the type of the packer of the packed file when the file is a packed file. The packer class may optionally include at least one of ASPack, AsProtect, EXE32Pack, FSG, PEBundle, PECompact, PEX, UPX, yoda, and WWPack32.

本發明之加殼程式偵測系統可選擇性地另包含一訓練集資料庫。訓練集資料庫連接於判斷模組,用以儲存具有加殼屬性之檔案。The packer detection system of the present invention optionally further includes a training set database. The training set database is connected to the judging module for storing files with packed attributes.

相較於習知技術,本發明係提出了一種加殼程式偵測系統及其方法,其具有擷取組合語言指令順序的獨特性。本發明使用的是動態分析的方式,在擷取出檔案反組譯後,將該程式的程式執行點開始起的第一行至第十五行之組合語言碼,做為訓練集特徵,再用相同方式擷取出檔案。再透過支援向量機的分析分類,以辨識加殼檔案,並分類出已加殼檔案之加殼器類別。當得知已加殼檔案之加殼器類別時,已加殼檔案可藉由其相對應的工具以進行脫殼,再藉由防毒軟體進行偵測並判斷其為惡意程式或非惡意程式,藉以解決習知技術中惡意程式利用加殼的方式以躲避防毒軟體偵測的問題。同時,本發明藉由逆向工程及動態分析的技術來辨識程式 檔案是否加殼之方法,能互補靜態分析方法其可能分析失誤之處。Compared with the prior art, the present invention proposes a packer detection system and method thereof, which have the uniqueness of capturing the order of combined language instructions. The invention uses the dynamic analysis method, and after combining the file reverse translation, the combined language code of the first line to the fifteenth line starting from the program execution point of the program is used as the training set feature, and then the same The way to retrieve the file. Then, through the analysis and classification of the support vector machine, the pack file is identified, and the packer category of the packed file is classified. When it is known that the packer type of the packaged file is available, the packaged file can be unpacked by its corresponding tool, and then detected by the anti-virus software to determine whether it is a malicious program or a non-malicious program. Solve the problem that the malware in the prior art uses the shelling method to avoid the anti-virus software detection. At the same time, the present invention recognizes programs by techniques of reverse engineering and dynamic analysis. Whether the file is packed or not can complement the static analysis method and it may analyze the error.

關於本發明之優點與精神可以藉由以下的發明詳述及所附圖式得到進一步的瞭解。The advantages and spirit of the present invention will be further understood from the following detailed description of the invention.

1‧‧‧加殼程式偵測系統1‧‧‧Packer Detection System

10‧‧‧反組譯模組10‧‧‧Reverse translation module

20‧‧‧擷取模組20‧‧‧Capture module

13‧‧‧轉化模組13‧‧‧Transformation module

40‧‧‧判斷模組40‧‧‧Judgement module

50‧‧‧分類模組50‧‧‧Classification module

60‧‧‧訓練集資料庫60‧‧‧ Training Set Database

圖一係繪示本發明之加殼程式偵測方法於一具體實施例之方法流程圖。FIG. 1 is a flow chart showing a method for detecting a packaged program of the present invention in a specific embodiment.

圖二係繪示本發明之加殼程式偵測系統於一具體實施例之功能方塊圖。FIG. 2 is a functional block diagram showing a packer detection system of the present invention in a specific embodiment.

為了讓本發明的目的、特徵和優點能夠更加明顯易懂,下面結合所附圖式對本發明之加殼程式偵測系統及其方法之具體實施方式做詳細之說明。In order to make the objects, features and advantages of the present invention more comprehensible, the embodiments of the present invention are described in detail with reference to the accompanying drawings.

請參閱圖一,圖一係繪示本發明之加殼程式偵測方法於一具體實施例之方法流程圖。於一實施例中,本發明之加殼程式偵測方法,用以偵測一檔案,其包含有以下步驟:Referring to FIG. 1, FIG. 1 is a flow chart showing a method for detecting a packaged program of the present invention in a specific embodiment. In one embodiment, the method for detecting a packaged program of the present invention is for detecting a file, which includes the following steps:

步驟一:反組譯(Disassemble)檔案並擷取已反組譯之檔案之一組合語言碼(Assembly code)。Step 1: Disassemble the file and retrieve the combination code of one of the files that have been reversed.

更明確地說,於一實施例中,透過Ollydbg對一可執行檔案進行動態反組譯,並擷取已反組譯之檔案之組合語言碼。於實際應用上,檔案可為一可執行檔案(Portable Executable file,PE file),如EXE檔或DLL檔,惟不以此為限。More specifically, in one embodiment, an executable file is dynamically reverse-translated through Ollydbg, and the combined language code of the reverse-compiled file is retrieved. In practical applications, the file can be a Portable Executable File (PE file), such as an EXE file or a DLL file, but not limited thereto.

步驟二:擷取組合語言碼中自程式進入點(Entry Point)起一預定行數之一分析組合語言碼。Step 2: Extract one of the predetermined number of lines from the entry point (Entry Point) in the combined language code to analyze the combined language code.

由於加殼檔案在脫殼時,會先進行脫殼初始化,因此於一實施例中,擷取模組會擷取在初始化階段時的指令作為辨識特徵。更明確地說,由於每種殼在初始化階段時的脫殼指令區段長短不一,例如藉由UPX所加殼之檔案在初始化階段時的脫殼指令區段相對較短;意即當擷取模組擷取過長的預定行數時,即會擷取到非在初始化階段時的脫殼指令區段的雜訊,進而影響加殼檔案的辨識度。因此,於本實施例中,擷取模組擷取程式進入點(Entry Point)開始執行起的十五行之組合語言程式碼內容,作為後續分析的特徵碼(即為分析組合語言碼)。於一最佳實施例中預定行數為十五行,意即所述之預定行數為組合語言碼中自程式進入點起第一行至第十五行。惟預定行數不以十五行為限,於實際應用時,預定行數亦可以為十五至二十五行之間的任一行數值。Since the packed file is unpacked and initialized first, in an embodiment, the capture module captures the instruction at the initialization stage as an identification feature. More specifically, since each shell has a different length of the unpacking instruction section during the initialization phase, for example, the file of the shelling instruction by the UPX-packed file is relatively short in the initialization phase; When the module takes too long a predetermined number of rows, it will capture the noise of the unpacking command section that is not in the initialization phase, thereby affecting the recognition of the packed file. Therefore, in this embodiment, the capture module captures the content of the combined language code of the fifteen lines starting from the entry point (Entry Point) as the feature code of the subsequent analysis (ie, analyzing the combined language code). In a preferred embodiment, the predetermined number of lines is fifteen lines, meaning that the predetermined number of lines is the first line to the fifteenth line from the program entry point in the combined language code. However, the predetermined number of rows is not limited to fifteen behaviors. In practical applications, the predetermined number of rows may also be any row value between fifteen and twenty-five rows.

步驟三:轉化分析組合語言碼以產生一支援向量機特徵碼。Step 3: Transform and analyze the combined language code to generate a support vector machine signature.

步驟四:根據支援向量機特徵碼判斷檔案之一加殼屬性(property),其中具有加殼屬性之檔案包含有一已加殼檔案以及一未加殼檔案。Step 4: Determine a property of the file according to the feature code of the support vector machine, wherein the file with the packed property includes a packed file and an unpacked file.

更明確地說,於一實施例中,將複數個檔案的支援向量機特徵碼代入支援向量機(Support Vector Machine,SVM)進行訓練,做為訓練集特徵。接著將檔案之支援向量機特徵碼代入訓練後之支援向 量機內,以判斷檔案是否經過加殼處理。其中訓練後之支援向量機即為將檔案之支援向量機特徵碼代入支援向量機內以訓練出一超平面(Hyperplane)。藉由訓練出之超平面來區分檔案分別屬於何種類別。為了降低測試時發生錯誤,本發明之超平面除了能將資料正確分類外,且具有分隔兩種類類別的最大邊緣(Margin)。另外,由於資料多呈不可能完全分離的情形(Separable Case),導致無論超平面如何分隔總有部分資料無法正確分類。因此,本發明進一步地將已經求出的資料分離的情形(separable case)的公式再加上一個鬆弛變量(Slack Variable),並經由拉格朗日函數(Lagrangian)處理,使後續進行分類時能獲得更準確之結果。More specifically, in one embodiment, the support vector machine feature codes of the plurality of files are substituted into a Support Vector Machine (SVM) for training as a training set feature. Then, the support vector machine feature code of the file is substituted into the support after training. In the measuring machine, to determine whether the file has been processed. The trained support vector machine is to substitute the file support vector machine feature code into the support vector machine to train a hyperplane. By training the hyperplane to distinguish which category the files belong to. In order to reduce errors during testing, the hyperplane of the present invention has the largest margin (Margin) separating the two categories except that the data can be correctly classified. In addition, because the data is mostly in a Separable Case, it is impossible to classify the data in any way regardless of the hyperplane. Therefore, the present invention further adds a formula of a separable case to a slack variable and processes it via a Lagrangian function to enable subsequent classification. Get more accurate results.

步驟五:若判斷檔案係為已加殼檔案,則分析已加殼檔案之一加殼器類別。Step 5: If it is determined that the file is a packed file, analyze one of the packer categories of the packed file.

於一實施例中,加殼器(Packer)類別包含有ASPack、AsProtect、EXE32Pack、FSG、PEBundle、PECompact、PEX、UPX、yoda及WWPack32的其中至少一種。惟加殼器類別不以上述為限,加殼器亦可以為可用以壓縮可執行檔案的工具。另外,於實際應用時,當得知已加殼檔案之加殼器類別時,已加殼檔案可藉由其相對應的工具以進行脫殼,再藉由防毒軟體進行偵測並判斷其為惡意程式或非惡意程式。In one embodiment, the Packer category includes at least one of ASPack, AsProtect, EXE32Pack, FSG, PEBundle, PECompact, PEX, UPX, yoda, and WWPack32. However, the packer category is not limited to the above, and the packer can also be a tool that can be used to compress executable files. In addition, in practical applications, when the classifier of the packed file is known, the packaged file can be unpacked by its corresponding tool, and then detected by the anti-virus software and judged to be malicious. Program or non-malicious program.

步驟六:將具有加殼屬性之檔案儲存至一訓練集資料庫。Step 6: Save the file with the packed property to a training set database.

於一實施例中,若檔案為一新類型的加殼檔案,其經過步驟一至步驟四的處理,以得到一加殼屬性,接著將具有加殼屬性之 新類型加殼檔案儲存入訓練集資料庫,以更新支持向量機的判斷標準。於一實施例中,若檔案為一未知來源的檔案,其經過步驟一至步驟三的處理,以得到一支援向量機特徵碼,接著,將未知來源的檔案的支援向量機特徵碼代入訓練後之支援向量機內之結果與訓練集資料庫作比較,以做出分類結果的判斷。In an embodiment, if the file is a new type of packed file, it is processed through steps 1 through 4 to obtain a packed attribute, and then has a packed attribute. The new type of packed file is stored in the training set database to update the judgment criteria of the support vector machine. In an embodiment, if the file is an unknown source file, the process proceeds from step 1 to step 3 to obtain a support vector machine feature code, and then the support vector machine feature code of the file of unknown source is substituted into the training. The results in the support vector machine are compared with the training set database to determine the classification results.

請參閱圖二,圖二係繪示本發明之加殼程式偵測系統於一具體實施例之功能方塊圖。於一實施例中,本發明之加殼程式偵測系統1用以偵測一檔案,其包含一反組譯模組10、一擷取模組20、一轉化模組30、一判斷模組40、一分類模組50及一訓練集資料庫60,其中反組譯模組10、擷取模組20、轉化模組30、判斷模組40、分類模組50及訓練集資料庫60可儲存於一儲存裝置中並藉由耦接於所述儲存裝置之一中央處理器執行。Referring to FIG. 2, FIG. 2 is a functional block diagram of a packer detection system of the present invention in a specific embodiment. In one embodiment, the package detection system 1 of the present invention is configured to detect a file, and includes a reverse translation module 10, a capture module 20, a conversion module 30, and a determination module. 40. A classification module 50 and a training set database 60, wherein the reverse translation module 10, the capture module 20, the conversion module 30, the determination module 40, the classification module 50, and the training set database 60 can be Stored in a storage device and executed by a central processor coupled to the storage device.

於本實施例中,反組譯模組10反組譯檔案,並擷取已反組譯之檔案之一組合語言碼(Assembly Code)。In this embodiment, the reverse group translation module 10 reverses the translation of the file and retrieves the combined language code (Assembly Code) of the file that has been reversed.

於本實施例中,擷取模組20連接於反組譯模組10,用以擷取組合語言碼中自程式進入點(Entry Point)起一預定行數之一分析組合語言碼。於一最佳實施例中預定行數為十五行,意即所述之預定行數為組合語言碼中自程式進入點起第一行至第十五行。惟預定行數不以十五行為限,於實際應用時,預定行數亦可以為十五至二十五行之間的任一行數值。In this embodiment, the capture module 20 is coupled to the reverse translation module 10 for extracting a combined language code from a predetermined number of rows from the entry point of the combined language code. In a preferred embodiment, the predetermined number of lines is fifteen lines, meaning that the predetermined number of lines is the first line to the fifteenth line from the program entry point in the combined language code. However, the predetermined number of rows is not limited to fifteen behaviors. In practical applications, the predetermined number of rows may also be any row value between fifteen and twenty-five rows.

於本實施例中,轉化模組30連接於擷取模組20,用以轉化分析組合語言碼以產生一支援向量機(Support Vector Machine,SVM) 特徵碼。In this embodiment, the conversion module 30 is coupled to the capture module 20 for converting and analyzing the combined language code to generate a Support Vector Machine (SVM). Signature.

於本實施例中,判斷模組40連接於轉化模組20,用以根據支援向量機特徵碼判斷檔案之屬性,其中檔案之屬性包含有一已加殼以及一未加殼。In this embodiment, the determining module 40 is connected to the conversion module 20 for determining the attributes of the file according to the support vector machine feature code, wherein the attributes of the file include a packed case and an uncased.

於本實施例中,分類模組50連接於判斷模組40,用以當判斷檔案之屬性為已加殼時,分析已加殼之檔案的加殼器類別。其中加殼器(Packer)類別包含有ASPack、AsProtect、EXE32Pack、FSG、PEBundle、PECompact、PEX、UPX、yoda及WWPack32的其中至少一種。惟加殼器類別不以上述為限,於實際應用時,加殼器亦可以為用以壓縮可執行檔案的工具。於實際應用時,當得知已加殼檔案之加殼器類別時,已加殼檔案可藉由其相對應的工具以進行脫殼,再藉由防毒軟體進行偵測並判斷其為惡意程式或非惡意程式。In this embodiment, the classification module 50 is coupled to the determination module 40 for analyzing the type of the packer of the packaged file when it is determined that the attribute of the file is already packed. The Packer category includes at least one of ASPack, AsProtect, EXE32Pack, FSG, PEBundle, PECompact, PEX, UPX, yoda, and WWPack32. However, the type of the sheller is not limited to the above. In practical applications, the packer can also be a tool for compressing executable files. In practical applications, when the type of the packer of the packaged file is known, the packaged file can be unpacked by its corresponding tool, and then detected by the anti-virus software and judged to be a malicious program or Non-malicious programs.

於本實施例中,訓練集資料庫60連接於判斷模組50,用以儲存具有加殼屬性之檔案。於一實施例中,若檔案為一新類型的加殼檔案,其同樣經過反組譯模組、擷取模組、轉化模組以及判斷模組的處理,以得到一加殼屬性,接著訓練集資料庫儲存具有加殼屬性之新類型加殼檔案,以更新支持向量機的判斷標準。於一實施例中,若檔案為一未知來源的檔案,其同樣經過反組譯模組、擷取模組及轉化模組的處理,以得到一支援向量機特徵碼。判斷模組根據將未知來源的檔案的支援向量機特徵碼代入訓練後之支援向量機(SVM)內之結果與訓練集資料庫60作比較,以做出分類結果的判斷。In this embodiment, the training set database 60 is coupled to the determination module 50 for storing files having the attribute of the package. In an embodiment, if the file is a new type of packed file, the same process is performed by the reverse translation module, the capture module, the conversion module, and the judgment module to obtain a packed attribute, and then training. The set database stores a new type of packed file with a packed attribute to update the judgment criteria of the support vector machine. In an embodiment, if the file is an unknown source file, it is also processed by the reverse group module, the capture module, and the conversion module to obtain a support vector machine feature code. The judging module compares the result of the support vector machine feature code of the file of the unknown source into the trained support vector machine (SVM) and compares it with the training set database 60 to determine the classification result.

相較於習知技術,本發明係提出了一種加殼程式偵測系 統及其方法,其具有擷取組合語言指令順序的獨特性。本發明使用的是動態分析的方式,在擷取出檔案反組譯後,將該程式的程式執行點開始起的第一行至第十五行之組合語言碼,做為訓練集特徵,再用相同方式擷取出檔案。再透過支援向量機的分析分類,以辨識加殼檔案,並分類出已加殼檔案之加殼器類別。當得知已加殼檔案之加殼器類別時,已加殼檔案可藉由其相對應的工具以進行脫殼,再藉由防毒軟體進行偵測並判斷其為惡意程式或非惡意程式,藉以解決習知技術中惡意程式利用加殼的方式以躲避防毒軟體偵測的問題。同時,本發明藉由逆向工程及動態分析的技術來辨識程式檔案是否加殼之方法,能互補靜態分析方法其可能分析失誤之處。Compared with the prior art, the present invention proposes a shelling program detection system. And its method, which has the uniqueness of capturing the order of combined language instructions. The invention uses the dynamic analysis method, and after combining the file reverse translation, the combined language code of the first line to the fifteenth line starting from the program execution point of the program is used as the training set feature, and then the same The way to retrieve the file. Then, through the analysis and classification of the support vector machine, the pack file is identified, and the packer category of the packed file is classified. When it is known that the packer type of the packaged file is available, the packaged file can be unpacked by its corresponding tool, and then detected by the anti-virus software to determine whether it is a malicious program or a non-malicious program. Solve the problem that the malware in the prior art uses the shelling method to avoid the anti-virus software detection. At the same time, the invention recognizes whether the program file is packed by the technology of reverse engineering and dynamic analysis, and can complement the static analysis method, which may analyze the error.

藉由以上較佳具體實施例之詳述,係希望能更加清楚描述本發明之特徵與精神,而並非以上述所揭露的較佳具體實施例來對本發明之範疇加以限制。相反地,其目的是希望能涵蓋各種改變及具相等性的安排於本發明所欲申請之專利範圍的範疇內。因此,本發明所申請之專利範圍的範疇應根據上述的說明作最寬廣的解釋,以致使其涵蓋所有可能的改變以及具相等性的安排。The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed. Therefore, the scope of the patented scope of the invention should be construed in the broadest

Claims (10)

一種加殼程式偵測方法,用以偵測一檔案,其包含有以下步驟:反組譯該檔案,並擷取已反組譯之該檔案之一組合語言碼;擷取該組合語言碼中自程式進入點起一預定行數之一分析組合語言碼;轉化該分析組合語言碼以產生一支援向量機特徵碼;以及根據該支援向量機特徵碼判斷該檔案之一加殼屬性,其中具有該加殼屬性之檔案包含有一已加殼檔案以及一未加殼檔案。 A method for detecting a package program for detecting a file, comprising the steps of: translating the file and extracting a combined language code of the file that has been reversely translated; and extracting the combined language code Converting the combined language code from one of the predetermined number of lines from the program entry point; converting the analysis combined language code to generate a support vector machine feature code; and determining a one of the archived attributes of the file according to the support vector machine feature code, wherein The file of the packed property contains a packed file and an unpacked file. 如申請專利範圍第1項所述之加殼程式偵測方法,另包含有以下步驟:若判斷該檔案係為該已加殼檔案,則分析該已加殼檔案之一加殼器類別。 The method for detecting a packer according to claim 1 of the patent application further includes the following steps: if it is determined that the file is the packed file, analyzing one of the packer categories of the packed file. 如申請專利範圍第2項所述之加殼程式偵測方法,其中該加殼器類別包含有ASPack、AsProtect、EXE32Pack、FSG、PEBundle、PECompact、PEX、UPX、yoda及WWPack32的其中至少一種。 The method of detecting a packer according to claim 2, wherein the packer category comprises at least one of an ASPack, an AsProtect, an EXE32Pack, an FSG, a PEBundle, a PECompact, a PEX, a UPX, a yoda, and a WWPack32. 如申請專利範圍第2項所述之加殼程式偵測方法,另包含有以下步驟:將具有該加殼屬性之檔案儲存至一訓練集資料庫。 The method for detecting a packaged program as described in claim 2, further comprising the steps of: storing the file having the attribute of the package to a training set database. 如申請專利範圍第1項所述之加殼程式偵測方法,其中該預定行數係為該組合語言碼中自程式進入點起第一行至第十五行。 The method for detecting a packaged program according to claim 1, wherein the predetermined number of lines is the first line to the fifteenth line from the program entry point in the combined language code. 一種加殼程式偵測系統,用以偵測一檔案,其包含有:一反組譯模組,反組譯該檔案,並擷取已反組譯之該檔案之一組合語言碼;一擷取模組,連接於該反組譯模組,擷取該組合語言碼中自程式進入點起一預定行數之一分析組合語言碼;一轉化模組,連接於該擷取模組,轉化該分析組合語言碼以產生一支援向量機特徵碼;以及 一判斷模組,連接於該轉化模組,根據該支援向量機特徵碼判斷該檔案之一加殼屬性,其中具有該加殼屬性之檔案包含有一已加殼檔案以及一未加殼檔案。 A packer detection system for detecting a file, comprising: a reverse group translation module, translating the file, and extracting a combined language code of the file that has been reversely translated; Taking a module, connecting to the reverse group translation module, extracting one of the predetermined number of lines from the program entry point in the combined language code to analyze the combined language code; a conversion module connected to the capture module, converting The analyzing combines the language codes to generate a support vector machine signature; A judging module is connected to the conversion module, and determines a stuffing attribute of the file according to the support vector machine feature code, wherein the file having the packed attribute includes a packed file and an unpacked file. 如申請專利範圍第6項所述之加殼程式偵測系統,另包含有:一分類模組,連接於該判斷模組,當該檔案係為該已加殼檔案時,分析該已加殼檔案之一加殼器類別。 The method for detecting a packer according to claim 6 of the patent application, further comprising: a sorting module connected to the judging module, and analyzing the packed shell when the file is the packed file One of the files is the packer category. 如申請專利範圍第7項所述之加殼程式偵測系統,其中該加殼器類別包含有ASPack、AsProtect、EXE32Pack、FSG、PEBundle、PECompact、PEX、UPX、yoda及WWPack32的其中至少一種。 The packer detection system of claim 7, wherein the packer category comprises at least one of ASPack, AsProtect, EXE32Pack, FSG, PEBundle, PECompact, PEX, UPX, yoda, and WWPack32. 如申請專利範圍第7項所述之加殼程式偵測系統,另包含有:一訓練集資料庫,連接於該判斷模組,儲存具有該加殼屬性之檔案。 The packer detection system of claim 7, further comprising: a training set database, connected to the judgment module, storing the file having the attribute of the pack. 如申請專利範圍第6項所述之加殼程式偵測系統,其中該預定行數係為該組合語言碼中自程式進入點起第一行至第十五行。 The packer detection system of claim 6, wherein the predetermined number of lines is the first line to the fifteenth line from the program entry point in the combined language code.
TW103142960A 2014-12-10 2014-12-10 A system for detecting packed program and method thereof TWI514188B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW103142960A TWI514188B (en) 2014-12-10 2014-12-10 A system for detecting packed program and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW103142960A TWI514188B (en) 2014-12-10 2014-12-10 A system for detecting packed program and method thereof

Publications (2)

Publication Number Publication Date
TWI514188B true TWI514188B (en) 2015-12-21
TW201621740A TW201621740A (en) 2016-06-16

Family

ID=55407887

Family Applications (1)

Application Number Title Priority Date Filing Date
TW103142960A TWI514188B (en) 2014-12-10 2014-12-10 A system for detecting packed program and method thereof

Country Status (1)

Country Link
TW (1) TWI514188B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013102119A1 (en) * 2011-12-30 2013-07-04 Perlego Systems, Inc. Anti-virus protection for mobile devices
TW201329774A (en) * 2011-12-22 2013-07-16 Intel Corp User controllable platform-level trigger to set policy for protecting platform from malware
TW201415281A (en) * 2012-06-07 2014-04-16 Proofpoint Inc Dashboards for displaying threat insight information
TW201415280A (en) * 2012-08-31 2014-04-16 Cloud Cover Safety Inc A method and service for securing a system networked to a cloud computing environment from malicious code attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201329774A (en) * 2011-12-22 2013-07-16 Intel Corp User controllable platform-level trigger to set policy for protecting platform from malware
WO2013102119A1 (en) * 2011-12-30 2013-07-04 Perlego Systems, Inc. Anti-virus protection for mobile devices
TW201415281A (en) * 2012-06-07 2014-04-16 Proofpoint Inc Dashboards for displaying threat insight information
TW201415280A (en) * 2012-08-31 2014-04-16 Cloud Cover Safety Inc A method and service for securing a system networked to a cloud computing environment from malicious code attacks

Also Published As

Publication number Publication date
TW201621740A (en) 2016-06-16

Similar Documents

Publication Publication Date Title
US11258813B2 (en) Systems and methods to fingerprint and classify application behaviors using telemetry
US9747452B2 (en) Method of generating in-kernel hook point candidates to detect rootkits and the system thereof
US9876812B1 (en) Automatic malware signature extraction from runtime information
Mosli et al. Automated malware detection using artifacts in forensic memory images
US20180183815A1 (en) System and method for detecting malware
US9015814B1 (en) System and methods for detecting harmful files of different formats
JP5265061B1 (en) Malicious file inspection apparatus and method
US20150256552A1 (en) Imalicious code detection apparatus and method
TWI401582B (en) Monitor device, monitor method and computer program product thereof for hardware
Alazab et al. Malware detection based on structural and behavioural features of API calls
Faruki et al. Mining control flow graph as api call-grams to detect portable executable malware
TWI419003B (en) A method and a system for automatically analyzing and classifying a malicious program
US11048798B2 (en) Method for detecting libraries in program binaries
US9171155B2 (en) System and method for evaluating malware detection rules
US9239922B1 (en) Document exploit detection using baseline comparison
KR101228899B1 (en) Method and Apparatus for categorizing and analyzing Malicious Code Using Vector Calculation
TWI623850B (en) Computer-implemented method, system and non-transitory computer-readable medium of evaluating files for malicious code
Muralidharan et al. File packing from the malware perspective: techniques, analysis approaches, and directions for enhancements
KR102151318B1 (en) Method and apparatus for malicious detection based on heterogeneous information network
Rafique et al. Malware classification using deep learning based feature extraction and wrapper based feature selection technique
Gibert et al. Orthrus: A bimodal learning architecture for malware classification
O'Kane et al. N-gram density based malware detection
KR102031592B1 (en) Method and apparatus for detecting the malware
TWI514188B (en) A system for detecting packed program and method thereof
EP2854065B1 (en) A system and method for evaluating malware detection rules

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees