CN101388062A - Packed executable file identification method and system based on statistical method - Google Patents
Packed executable file identification method and system based on statistical method Download PDFInfo
- Publication number
- CN101388062A CN101388062A CN 200810224318 CN200810224318A CN101388062A CN 101388062 A CN101388062 A CN 101388062A CN 200810224318 CN200810224318 CN 200810224318 CN 200810224318 A CN200810224318 A CN 200810224318A CN 101388062 A CN101388062 A CN 101388062A
- Authority
- CN
- China
- Prior art keywords
- byte
- data
- shell
- module
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Complex Calculations (AREA)
Abstract
The invention discloses an identifying method of packer executable files based on statistical methods and a system thereof. The method comprises steps of 1) reading in a known non-packer executable program file, 2) counting frequency and total bytes of each number in the executable program file via forms of single byte and double byte, 3) solving the probability of single byte value and double byte value in the non-packer executable program file and solving conditional distribution of each adjacent single byte value, 4) reading in an unknown executable program file, calculating the probability of occurrence of single byte and double byte in the file and then comparing with data of the step 3) to solve the differences, 5) if the differences of single byte and double byte are smaller than the set threshold respectively, then confirming the executable file shelled. The method not only can identify packer programs of known shells, but has accurate identification capacity to large amount of packer programs with unknown shells of which feature codes are not mastered, and significantly increases analyzing efficiency.
Description
Technical field
The invention belongs to the data security field, belong to specifically in the malicious code analysis process, to a kind of method and system of discerning automatically of executable program of band shell.
Background technology
The full name that adds shell should be the compression of executable program resource.It is a kind of conventional means of protection executable file.Adding the program that shell crosses can directly move, but can not directly use the dis-assembling technology to check the dis-assembling code of program, wants to see the dis-assembling code, needs through just can after the shelling.
Add shell: be to utilize special algorithm in fact, the resource in EXE, the dll file is compressed.The effect of similar WINZIP, just the file after the compression remains an executable file, direct independent operating, move this cryptor after, decompress earlier, carry out real program after decompressing, decompression process is hidden fully, all finishes in internal memory.
Contraction principle: be to add the shell instrument in file header, to have added one section instruction, tell CPU, how could decompress oneself.Be exactly to add last coat for executable file in fact.Just this shell that the user carries out.This shell will be untied original program in internal memory when you carry out this program, carrying out with regard to giving real program after untiing.
Executable file is added shell mainly contains two purposes:
1, executable program is excessive sometimes, and it is added the size that shell can compress executable program.
2, some program uses encryption technology in order to prevent program by people's trace debug, prevents that algorithm routine is by others' static analysis.Can well reach this purpose after program added shell.
At the application of two kinds of various objectives of encryption technology, encryption technology also has been divided into two technique directions, compression shell and encrypt shell.The characteristics of compression shell reduce software volume size exactly, and encipherment protection is not its emphasis.Popular compression shell has UPX, ASPack, PECompact etc. at present.The emphasis of encrypting shell is that then defence program not by people's conversed analysis, is not its emphasis and reduce software volume size, and popular encryption shell has ASProtect, Armadilo at present.And with regard to practical application, a lot of shells are the comprehensive shells that combine the technology of compress technique and encryption.And the combination property of these shells can be higher.For adding this technology of shell, some application are arranged in the conventional software, not very extensive but use; And at a lot of malicious codes in order to hide the killing of looking into malicious software, all used the technology that adds shell.So for the analyst of malicious code, how high efficiency which suspicious malicious code of distinguishing has used encryption technology, which does not use, and is exactly technical issues that need to address.Because is different for the analytical approach of the suspicious malicious code that adds shell with the suspicious malicious code analysis method that does not add shell.Mainly depend on analyst's experience in the process of very long this differentiation of following period of time, rely on manual the differentiation, some shell side preface differentiating methods based on the condition code of shell have also appearred afterwards, but this method can only be discerned limited several known shell, can't effectively discern for a large amount of emerging unknown shells.And in the real work of anti-malicious code, the shell of a large amount of cryptor that the analyst runs into all is the unknown shell that comes out newly developed.
Summary of the invention
The present invention is directed to the practical problems of mentioning in the above background technology, proposed a kind ofly to add recognition methods of shell executable file and system based on statistical method.
Technical scheme of the present invention is summarized as follows:
A kind of based on statistical method add the recognition methods of shell executable file, its step comprises:
1) reads in the known executable program file that does not add shell;
2) be number of times and the total bytes that each numeral occurs in the statistical unit statistics executable program file with byte and double byte;
3) obtain byte and the double byte probability in not adding the shell executable program file, the condition of obtaining each adjacent byte numerical value distributes;
4) read in unknown executable program file, calculate the probability that byte and double byte occur in this document, compare, calculate difference value with data in the described step 3);
5) difference value of byte and double byte respectively less than the threshold values of appointment, determines that then this executable file adds shell.
The difference value of described step 4) byte:
Further, read in unknown executable program file after, can also discern one piece of data and whether add shell, concrete steps are as follows:
(1) will the recognition data section be unit, be divided into segment with the even bytes.
(2) calculate the probability of occurrence of each segment in not adding the executable program of shell.
(3) calculate the average probability that each segment data occurs.
(4) numerical value that draws in the step (3) is less than setting threshold values, determine this segment data be executable code add the shell part.
Described step (1) even bytes is 8 bytes.
A kind ofly add shell executable file recognition system based on statistical method, comprise executable file load-on module, data statistics module, data computation module, write base module, the knowledge base load-on module, add the shelf document identification module, wherein: described executable file load-on module is used for known executable program is read in, and gives data statistics module with the content of reading in; The number of times that described data statistics module statistics specified bytes occurs passes to data computation module; Data computation module calculates to pass to after the probability distribution of each statistics and writes base module; The described shelf document identification module that adds is added up data in the unknown executable program, with knowledge base load-on module loaded data relatively, discern an executable file and whether add shell.
Said system also comprises and adds shell data segment identification module, and whether certain segment data that is used for discerning an executable file is to add hull number according to part.
Compared with prior art, the invention has the beneficial effects as follows: the executable program that will add shell that can efficiently and accurately by technical scheme of the present invention distinguishes with the executable program that does not add shell.Compare with the method for resolving instruction with traditional manual identification, owing to use methods analyst efficient significantly to improve based on statistics; Compare with the recognition technology of traditional condition code based on specific shell, usable range of the present invention is wider, not only can identify the cryptor of known shell, and, very accurate recognition ability be arranged also for the cryptor of a large amount of unknown shells of not grasping condition code.
Description of drawings
Fig. 1 learns the subsystem structural map
Fig. 2 recognition subsystem structural map
Fig. 3 learns the subsystem processes process flow diagram
Fig. 4 adds shelf document identification module processing flow chart
Fig. 5 adds hull number according to the root module processing flow chart
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in further detail:
Based on statistical method add shell executable file recognition system, divide two subsystems: study subsystem, recognition subsystem.
One, study subsystem:
Study subsystem main function is that a large amount of executable programs that does not add shell is carried out statistical analysis, therefrom extract the executable program that do not add shell in statistical feature.For recognition subsystem provides a knowledge base.
As shown in Figure 1, the study subsystem mainly divides following module:
1, executable file load-on module.The function of mainly finishing is: will be read in the system one by one as the executable program of sample.And give " data statistics module " with the content of reading in and handle.
2, data statistics module, the function of mainly finishing is: the data that byte-by-byte scanning is provided by " executable file load-on module ", with byte and double byte is that (this is the statistical unit of choosing in unit, byte and double byte are proper, design conditions distribute after also helping, if select nybble for use then possible situation can be a lot, complexity can be very high), add up the number of times that occurs each byte and double byte in these data, and total byte number of scanning.Byte is that 2 system numerical tables show with a 8bit in computing machine, convert 16 systems to after, the span of this number be 0x00 to 0xff,
As: suppose that A B D D C A D is the one piece of data that we will add up, a byte represented in each character, represents to be respectively 0x22 0x23 0x34 0x34 0x2c 0x22 0x34 with 16 systems.Certainly real data are contents of a series of executable files, and what data volume can be big is many, just gives an example here.
Be earlier the unit statistics with the byte:
The number of times that A occurs: 2
The number of times that B occurs: 1
The number of times that C occurs: 1
The number of times that D occurs: 3
With the double byte is the unit statistics:
The number of times that AB occurs: 1
The number of times that BD occurs: 1
The number of times that DD occurs: 1
The number of times that DC occurs: 1
The number of times that CA occurs: 1
The number of times that AD occurs: 1
Scanned altogether total byte number is: 7
Give " data computation module " with these data transfer that come out, come further data to be calculated.
3, data computation module, the function of mainly finishing is: the data of adding up are further processed.Main processing mode has:
(1), calculate the probability that each byte occurs: represent with Bi, wherein the span of i be 0x00~0xff also with data instance above,
Byte A is the probability B that 0x22 occurs
0x22Be P (A)=2/7=0.28571428571428571428571428571429
Byte C is the probability B that 0x2c occurs
0x2cBe P (C)=1/7=0.14285714285714285714285714285714
(2), calculate the probability that each double byte occurs:
Represent that with CI wherein the span of I is 0x0000~0xFFFF
Also with above data instance
Double byte AB is the probability C that 0x2223 occurs
0x2223Promptly
P(AB)=1/6=0.16666666666666666666666666666667
(3), distribute according to the Bayesian formula design conditions:
Represent that with Di wherein the span of i is 0x0000~0xffff
Also with above data instance
P(B/A)=P(A?B)/P(A)=0.58333333333333333333333333333333
Be D
0x2322=P (0x23/0x22)=0.58333333333333333333333333333333
(4) finally can obtain following data:
Probability of occurrence Bi from all byte of 0x00~0xFF
Probability of occurrence CI from all double bytes of 0x0000~0xFFFF
Can also get the condition distribution probability Di of P (a/b), promptly first monocase is that the character of back is the probability that b occurs under the condition of a, and a, b represent variable, and wherein the span of a is 0x00~0xFF, and the span of b is 0x00~0xFF.
These data transfer that will obtain are at last given and are write base module.
4, write base module, be responsible for the data of calculating are written in the knowledge base.
Two, recognition subsystem:
The effect of recognition subsystem is the knowledge base that provides of utilizing the study subsystem, executable program to the unknown is discerned, identification comprising dual mode, first kind is, a complete executable file is discerned, judge that it is the executable program that has added shell, does not still add the executable program of shell; Second kind is that certain one piece of data in the executable program is discerned, judge that this segment data is the code segment part of executable file, still other data segments or add the shell executable file add hull number according to part, as shown in Figure 2, recognition subsystem comprises with lower module:
1, knowledge base load-on module with the data that " study subsystem " calculates, reads in from knowledge base.Wherein: Bi represents the probability that double byte that the byte probability of occurrence read, CI are represented to read occurs.Di represents that the condition of adjacent byte distributes.
2, add the shelf document identification module.Main function is whether the executable file of identification appointment adds shell.Main method is:
(1), calculate the probability that single byte and double byte data occur in this document, wherein Ai represents the probability that byte occurs; EI represents the probability that double byte occurs.
(2), with knowledge base in data compare, the computing formula of difference value S is:
The difference value of byte wherein:
The difference value of double byte wherein:
The value of S1 and S2 has a threshold values K1 and K2 respectively, threshold values is according to above formula, a large amount of executable file (comprise add shell and do not add shell) is calculated, according to adding the shell executable file and not adding the otherness of the S1 value that the executable file of shell calculates, determine a threshold values K1, make and to add S1 that the executable file of shell calculates all greater than this threshold values K1 with all, the S1 that calculates of the useful executable file that does not add shell all less than this threshold values K1, threshold values K2 is in like manner.
When S1<K1 and S2<K2, can determine that then this executable file adds shell therefore here.
3, add shell data segment identification module, major function is whether certain segment data in executable file of identification is to add hull number according to part.
Key step is as follows:
Suppose that the data segment that is identified is S.
(1), with data S, be divided into segment with every section 8 byte, be respectively Gi (being divided into the n section altogether, wherein the sequence number of the i section of expression), the data of afterbody is not enough Eight characters joint are lost and are disregarded.(selecting 8 bytes here for use, is to consider the complicated process of asking joint distribution, and selecting 4 bytes or 16 bytes certainly is unit, also can, but effect does not have the good of 8 bytes, 16 bytes are just too complicated, calculated amount is too big; And 4 bytes, whether calculating simple is that to add the effect of shell data segment bad but distinguish; And why do not select 7 bytes or 9 bytes, and consider that mainly computing machine is to align according to 2,4,8,16, not all right with byte and double byte.)
(2) calculate the probability that every segment 8 byte datas occur,
If the data of i segment 8 bytes are: w1, w2, w3, w4, w5, w6, w7, w8,
Then the probability of this segment appearance is:
P(Gi)=P(w1)P(w2|w1)P(w3|w1w2)……P(w8|w1w2…w7)
Utilize Ma Er Kraft hypothesis to be this simplified formula:
P (Gi)=P (w1) P (w2|w1) P (w3|w2) ... P (w8|w7); (formula three)
Wherein P (w2|w1), P (w3|w2) equivalence can obtain from Di.
Because as top giving an example:
D
0x2322=P(0x23/0x22)=0.58333333333333333333333333333333
And P (0x23/0x22)=D
0x23*0x100+0x22
So P (w2|W1)=D is arranged
W2*0x100+w1
P(w3|w2)=D
w3*0x100+w2
Therefore the P (Gi) above can get:
P(Gi)=B
w1D
w2*0x100+w1D
w3*0x100+w2……D
w8+0x100+w7
(3), the probability of occurrence that each segment is obtained is averaged:
Suppose always to be divided into the n segment
If this value P (G) is less than a certain threshold values K3, then this segment data is for adding the hull number certificate.As shown in Figure 3, study subsystem processes flow process is as follows:
(1), from specified folder, loads an executable program that does not add shell that is prepared for learning by " executable file load-on module ".And give " data statistics module " with file content and handle.The quantity of documents that loads is many more, and Shi Bie accuracy can be high more at last, is 2000 in present quantity of experimental phase.
(2), " data statistics module " number of times of occurring with the form of byte and double byte statistics 0x00~0xff and each numeral of 0x0000~0xffff respectively, and total bytes.
(3), judge whether global learning is finished for the not cryptor that is used for learning in the specified folder, and does not get back to step 1) if finish, continue to load other executable programs, and in step 2 for study) in each statistics is added up.If global learning is finished, continue step 4).
(4), obtain 0x00~0xff by " data computation module " according to each statistics, the probability distribution of 256 byte numerical value in not adding the shell executable program; Obtain 0x0000~0xffff, the probability distribution of 65535 double byte numerical value in not adding the shell executable program.And the condition of obtaining each adjacent byte numerical value on this basis distributes.
(5), the data that " data computation module " calculated by " writing base module " write in the knowledge base, use when the identification shell for recognition subsystem.
As shown in Figure 4, recognition subsystem treatment scheme:
(1), calls data load that " knowledge base load-on module " will be obtained by " study subsystem " in recognition subsystem.
(2), according to the concrete data that will discern, call different identification modules, whether add shell if will discern an executable file, then call " adding the shelf document identification module "; If " adding shell data segment identification module " then called in identification " whether one piece of data adds shell ".
(3), whether executable file of identification add the flow process of shell, in " adding the shelf document identification module ", finish, as shown in Figure 4.
A, will be identified file and read in internal memory.
B, add up the probability distribution that byte and double byte occur respectively.
C, use " formula one " and " formula two " to calculate the value of S1 and S2 respectively.
D, by with S1, S2 respectively with threshold values K1, K2 relatively, take all factors into consideration two comparative results, whether make at last is the conclusion of cryptor.
(4), whether the identification one piece of data adds the flow process of shell.In " adding shell data segment identification module ", finish, as shown in Figure 5.
A, will the recognition data section import identification module into.
B, will the recognition data section be unit, be divided into segment with 8 bytes.
C, utilize (formula three) to calculate the probability of occurrence P (Gi) of each segment in not adding the executable program of shell respectively.
The average probability P (D) that each segment data occurs is calculated in D, utilization (formula four).
E, with a P (D) and a fixing threshold values K3, if relatively less than K3, then can determine this segment data be executable code add the shell part.
Claims (6)
1, a kind of based on statistical method add the recognition methods of shell executable file, its step comprises:
1) reads in the known executable program file that does not add shell;
2) be number of times and the total bytes that each numeral occurs in the statistical unit statistics executable program file with byte and double byte;
3) obtain byte and the double byte probability in not adding the shell executable program file, the condition of obtaining each adjacent byte numerical value distributes;
4) read in unknown executable program file, calculate the probability that byte and double byte occur in this document, compare, calculate difference value with data in the described step 3);
5) difference value of byte and double byte respectively less than the threshold values of appointment, determines that then this executable file adds shell.
2, the method for claim 1 is characterized in that, read in unknown executable program file after, can also discern one piece of data and whether add shell, concrete steps are as follows:
(1) will the recognition data section be unit, be divided into segment with the even bytes;
(2) calculate the probability of occurrence of each segment in not adding the executable program of shell;
(3) calculate the average probability that each segment data occurs;
(4) numerical value that draws in the step (3) is less than setting threshold values, determine this segment data be executable code add the shell part.
3, the method for claim 1 is characterized in that, the difference value of described step 4) byte:
4, method as claimed in claim 2 is characterized in that, described step (1) even bytes is 8 bytes.
5, a kind ofly add shell executable file recognition system based on statistical method, it is characterized in that, comprise executable file load-on module, data statistics module, data computation module, write base module, the knowledge base load-on module, add the shelf document identification module, wherein: described executable file load-on module is used for known executable program is read in, and gives data statistics module with the content of reading in; The number of times that described data statistics module statistics specified bytes occurs passes to data computation module; Data computation module calculates to pass to after the probability distribution of each statistics and writes base module; The described shelf document identification module that adds is added up data in the unknown executable program, with knowledge base load-on module loaded data relatively, discern an executable file and whether add shell.
6, system as claimed in claim 5 is characterized in that, also comprises adding shell data segment identification module, and whether certain segment data that is used for discerning an executable file is to add hull number according to part.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810224318 CN101388062B (en) | 2008-10-17 | 2008-10-17 | Packed executable file identification method and system based on statistical method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810224318 CN101388062B (en) | 2008-10-17 | 2008-10-17 | Packed executable file identification method and system based on statistical method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101388062A true CN101388062A (en) | 2009-03-18 |
| CN101388062B CN101388062B (en) | 2010-06-16 |
Family
ID=40477478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810224318 Expired - Fee Related CN101388062B (en) | 2008-10-17 | 2008-10-17 | Packed executable file identification method and system based on statistical method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101388062B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136050A (en) * | 2011-04-14 | 2011-07-27 | 北京思创银联科技股份有限公司 | System and method for improving computer financial management security |
| CN103761474A (en) * | 2014-01-24 | 2014-04-30 | 北京京东尚科信息技术有限公司 | Method and device for monitoring execution time of monitoring method |
| CN109784057A (en) * | 2019-01-04 | 2019-05-21 | 国家计算机网络与信息安全管理中心 | Recognition methods, controller and medium are reinforced in Android application |
-
2008
- 2008-10-17 CN CN 200810224318 patent/CN101388062B/en not_active Expired - Fee Related
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136050A (en) * | 2011-04-14 | 2011-07-27 | 北京思创银联科技股份有限公司 | System and method for improving computer financial management security |
| CN103761474A (en) * | 2014-01-24 | 2014-04-30 | 北京京东尚科信息技术有限公司 | Method and device for monitoring execution time of monitoring method |
| CN103761474B (en) * | 2014-01-24 | 2016-08-17 | 北京京东尚科信息技术有限公司 | A kind of method and device for monitoring the execution time of a monitoring method |
| CN109784057A (en) * | 2019-01-04 | 2019-05-21 | 国家计算机网络与信息安全管理中心 | Recognition methods, controller and medium are reinforced in Android application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101388062B (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Furuoka | A new approach to testing unemployment hysteresis | |
| EP2597573B1 (en) | Test data generation | |
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| RU2009136236A (en) | METHOD FOR ASSOCIATING AN EARLY UNKNOWN FILE TO A FILE COLLECTION, DEPENDING ON THE DEGREE OF SIMILARITY | |
| CN104091100A (en) | Software protection method based on intermediate result compiling | |
| US20140207820A1 (en) | Method for parallel mining of temporal relations in large event file | |
| CN108563952B (en) | File virus detection method and device and storage medium | |
| CN101388062B (en) | Packed executable file identification method and system based on statistical method | |
| CN106452779A (en) | Encryption method and apparatus of fingerprint image data | |
| CN112000952B (en) | Author organization characteristic engineering method of Windows platform malicious software | |
| CN101964040A (en) | PE loader-based software packing protection method | |
| CN113332729A (en) | Cloud game vulnerability detection method based on deep learning and artificial intelligence server | |
| CN112632568B (en) | Temperature data storage and acquisition method, system, electronic equipment and storage medium | |
| Huang et al. | Do trend extraction approaches affect causality detection in climate change studies? | |
| Hao et al. | Automatic generation of benchmarks for I/O-intensive parallel applications | |
| Chen et al. | A novel preprocessing method for solving long sequence problem in android malware detection | |
| CN108229168B (en) | Heuristic detection method, system and storage medium for nested files | |
| Tang et al. | Android malware detection based on deep learning techniques | |
| CN106802866B (en) | method for restoring execution path of Android program | |
| CN106055934B (en) | A kind of code protection method and device based on VEH | |
| CN116595918A (en) | Method, device, equipment and storage medium for verifying quick logical equivalence | |
| Yang et al. | DRTaint: A dynamic taint analysis framework supporting correlation analysis between data regions | |
| CN115361206A (en) | Encrypted program analysis method and device and electronic equipment | |
| Manis et al. | A Python library with fast algorithms for popular entropy definitions | |
| US9122543B2 (en) | Data processing method, apparatus and computer program product for similarity comparison of software programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100616 Termination date: 20151017 |
|
| EXPY | Termination of patent right or utility model |