CN103294951B - A kind of malicious code sample extracting method based on document type bug and system - Google Patents
A kind of malicious code sample extracting method based on document type bug and system Download PDFInfo
- Publication number
- CN103294951B CN103294951B CN201210497712.XA CN201210497712A CN103294951B CN 103294951 B CN103294951 B CN 103294951B CN 201210497712 A CN201210497712 A CN 201210497712A CN 103294951 B CN103294951 B CN 103294951B
- Authority
- CN
- China
- Prior art keywords
- document
- shellcode
- malicious code
- file
- code sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of malicious code sample extracting method based on document type bug and system, first, the shellcode in locating documents;And extract the shellcode navigated to;Then described shellcode is converted into PE file;Run described PE file, and judge whether described PE file has the behavior of releasing document, if, then the file of release is extracted as malicious code sample, otherwise, then judge whether described PE file has the behavior downloading file, if, then the file of download is extracted as malicious code sample, otherwise, then abandon described document is carried out malicious code sample extraction.The method compared with tradition cultural method extract more accurately, speed faster, more convenient.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of malicious code sample extracting method based on document type bug and system.
Background technology
Malicious code based on document type bug is initial not in user's machine, but leaky for tool document is first implanted in subscriber computer by invader by various modes, rebooting user and carry out opening operation, the shellcode so passing through to have set carries out release or the download of malicious code.And these malicious codes operate often over the most anti-safety information product of invader: shell adding, anti-virtual machine, free to kill, drive protection, the various protections of condition execution etc..Sixty-four dollar question is that invader is often well understood by for user to be invaded or network, purpose is only to steal the information of specific user, and hide for a long time, so invader also can for the fix information safety product of user individually study with free to kill, walk around technology etc. and dispose, so the malicious code killing verification and measurement ratio for document type bug is almost nil.
At present, information security manufacturer is for the sample capture method of document type bug, mostly based on breeding way, will magnanimity document dry run in virtual machine in user's machine, monitor whether that new sample produces, these new samples are carried out the analysis automated again, thus captures these high prestige malicious code samples.But there is following problem:
The first, when the document of magnanimity performs in virtual machine, each to have the time run and wait, such service speed is the slowest;
The second, inhomogeneous document, all rely on the running environment of this document upon execution, so the building of running environment in virtual machine is a time-consuming process, and running environment may not necessarily include that all of document performs environment, thus result in some documents because there is no running environment, and can not perform;
3rd, the sample of capture protected layer by layer by invader set up defences, condition execution etc., it is carried out virtual machine automated analysis does not has behavior substantially, is difficult to it is made whether the qualitative of malice.
Summary of the invention
For above-mentioned technical problem, the invention provides a kind of malicious code sample extracting method based on document type bug and system, the method is by positioning the shellcode in document and extract, then PE file it is translated into, the extraction of malicious code sample is carried out by running PE file, thus improve speed, and overcome the shortcoming that breeding way extracts malicious code sample dependence undue to environment.
The present invention adopts and realizes with the following method:
A kind of malicious code sample extracting method based on document type bug, including:
Shellcode in step 1, locating documents;
The shellcode that step 2, extraction navigate to;
Step 3, described shellcode is converted into PE file;
Step 4, run described PE file, and judge whether described PE file has the behavior of releasing document, if, then the file of release is extracted as malicious code sample, otherwise judge whether described PE file has the behavior downloading file, the most then the file of download is extracted as malicious code sample, otherwise abandon described document is carried out malicious code sample extraction.
Releasing document refers to that malicious code sample is present in shellcode, it is only necessary to being written into disk is to discharge successfully;
Download file and refer to that it, on telecommunication network, will be downloaded and store in disk by malicious code sample.
Preferably, the method for the shellcode in the locating documents described in step 1 can be:
Step a, document is carried out known bugs detection, and determine whether leak to be detected, the most then utilize the shellcode in described leak locating documents, otherwise perform step b;
It is known that Hole Detection depends on leak feature, leak feature is through the substantial amounts of analysis for leak and accumulation, the different detection methods of the different leaks of all kinds document drawn;When leak being detected, then the offset address of the shellcode that can directly position, extracts shellcode and arranges;
Step b, extract the embedded document of described document, if extracting successfully, performing step a, otherwise performing step c;
Step c, the data in document are carried out resolve restoring operation, and the data for different-format carry out shellcode detection respectively, it is determined whether shellcode detected, if, the then shellcode in locating documents, the most described document does not contains shellcode.
Wherein, shellcode detection depends on shellcode feature, and these features derive from during substantial amounts of shellcode analyzes the shellcode data extracted, and carry out the feature extraction of respective algorithms again for these data.
Cultivate preferably for the malicious code sample extracted, and then obtain the association malicious code sample of described malicious code sample.
A kind of malicious code sample extraction system based on document type bug, including:
Locating module, the shellcode in locating documents;
Extraction module, for extracting the shellcode navigated to;
Conversion module, for being converted into PE file by described shellcode;
Dispose module, run described PE file, and judge whether described PE file has the behavior of releasing document, if, then the file of release is extracted as malicious code sample, otherwise judge whether described PE file has the behavior downloading file, if, then the file of download is extracted as malicious code sample, otherwise abandon described document is carried out malicious code sample extraction.
Releasing document refers to that malicious code sample is present in shellcode, it is only necessary to being written into disk is to discharge successfully;
Download file and refer to that it, on telecommunication network, will be downloaded and store in disk by malicious code sample;
Preferably, described locating module can include following submodule:
Known bugs detection sub-module, for document carries out known bugs detection, and determines whether leak to be detected, the most then utilize the shellcode in described leak locating documents, otherwise sent by described document to embedded document extraction submodule;
Embedded document extracts submodule, receives and sends the document of coming, and extracts the embedded document of described document, if extracting successfully, sends described embedded document to known bugs detection sub-module, is otherwise sent by described document to resolving reduction submodule;
Resolve reduction submodule, receive and send the document of coming, and carry out resolving restoring operation to the data in document, and the data for different-format carry out shellcode detection respectively, determine whether shellcode to be detected, the most then shellcode in locating documents, the most described document does not contains shellcode.
Preferably, also include: cultivation module, cultivate for the malicious code sample for extracting, and then obtain the association malicious code sample of described malicious code sample.
In sum, the invention provides a kind of malicious code sample extracting method based on document type bug and system, by the shellcode in certain way locating documents, and extract the shellcode navigated to, after being translated into PE file, run this PE file, check whether to there is malicious operation, extract malicious code sample for described malicious operation.Extract malicious code sample by such method, be greatly improved in speed, and the running environment for document does not exist dependence, can preferably complete malicious code sample and extract.
Accompanying drawing explanation
In order to be illustrated more clearly that technical scheme, the accompanying drawing used required in embodiment will be briefly described below, apparently, accompanying drawing in describing below is only some embodiments described in the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
The malicious code sample extracting method flow chart based on document type bug that Fig. 1 provides for the present invention;
The method flow diagram of the shellcode in locating documents in the malicious code sample extracting method based on document type bug that Fig. 2 provides for the present invention;
The malicious code sample extraction system structure chart based on document type bug that Fig. 3 provides for the present invention;
The structure chart of locating module in the malicious code sample extraction system based on document type bug that Fig. 4 provides for the present invention.
Detailed description of the invention
The present invention gives a kind of malicious code sample extracting method based on document type bug and system, for the technical scheme making those skilled in the art be more fully understood that in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, below in conjunction with the accompanying drawings technical scheme in the present invention is described in further detail:
Present invention firstly provides a kind of malicious code sample extracting method based on document type bug, now illustrate as a example by EMAIL server documentation detecting system, in EMAIL server, carry out annex in real time for the mail come in and gone out and extract operation, and take out the most all of document files, malicious code sample extraction is carried out, as it is shown in figure 1, include for the document files extracted:
Shellcode in S101 locating documents;
S102 extracts the shellcode navigated to;But shellcode now is not carried out environment;
Described shellcode is converted into PE file by S103;The purpose performing this operation is to make shellcode have feasibility;
S104 runs described PE file, and judges whether described PE file has the behavior of releasing document, the most then extracted as malicious code sample by the file of release, otherwise perform S105;
S105 judges whether described PE file has the behavior downloading file, the most then extracted as malicious code sample by the file of download, otherwise abandon described document is carried out malicious code sample extraction.
At this point it is possible to carry out recording for the document being judged to containing document type bug and block operation, can directly block annex and only send the part in addition to malice document, it is possible to directly mail entirety be blocked.
Hereafter, it is also possible to the malicious code sample got is carried out cultivation operation, and then obtains the sample file of this high prestige malicious code association;Or the sample file of association is also carried out cultivation, obtains more more fully malicious code sample.
The extracting method of a kind of based on document type bug malicious code sample provided for the present invention, it is mentioned that locating documents in the method for shellcode, illustrate as a example by EMAIL server equally, as shown in Figure 2:
S201 carries out known bugs detection to document, and determines whether leak to be detected, the most then perform S204, otherwise, then perform S202;
S202 extracts the embedded document of described document, and judges to extract the most successfully, the most then perform S201, otherwise, then perform S203;
Data in document are carried out resolving restoring operation by S203, and the data for different-format carry out shellcode detection respectively, it is determined whether shellcode being detected, the most then perform S204, otherwise, described document does not contains shellcode;
Shellcode in S204 locating documents.
The invention provides a kind of malicious code sample extraction system based on document type bug, as it is shown on figure 3, include:
Locating module 301, the shellcode in locating documents;
Extraction module 302, for extracting the shellcode navigated to;
Conversion module 303, for being converted into PE file by described shellcode;
Dispose module 304, run described PE file, and judge whether described PE file has the behavior of releasing document, if, then the file of release is extracted as malicious code sample, otherwise judge whether described PE file has the behavior downloading file, if, then the file of download is extracted as malicious code sample, otherwise abandon described document is carried out malicious code sample extraction.
Finally, can cultivate for the malicious code sample extracted in sample extraction module, and then obtain the association malicious code sample of described malicious code sample.
In a kind of based on document type bug the malicious code sample extraction system that the present invention provides, described locating module can include following submodule, as shown in Figure 4, and including:
Known bugs detection sub-module 401, for document carries out known bugs detection, and determines whether leak to be detected, the most then utilize the shellcode in described leak locating documents, otherwise sent by described document to embedded document extraction submodule 402;
Embedded document extracts submodule 402, receives and sends the document of coming, and extracts the embedded document of described document, if extracting successfully, sends described embedded document to known bugs detection sub-module 401, is otherwise sent by described document to resolving reduction submodule 403;
Resolve reduction submodule 403, receive and send the document of coming, and carry out resolving restoring operation to the data in document, and the data for different-format carry out shellcode detection respectively, determine whether shellcode to be detected, the most then shellcode in locating documents, the most described document does not contains shellcode.
As mentioned above, The present invention gives a kind of malicious code sample extracting method based on document type bug and system, it is with the difference of conventional method, it is to obtain by the way of cultivation that tradition extracts the malicious code sample of document type bug, and this acquisition resulting in sample is somewhat dependent upon the running environment of document;And the method that the present invention provides, it is not necessary to rely on the running environment of document, malicious code sample can be obtained rapidly and accurately.
Above example is in order to illustrative not limiting technical scheme.Without departing from any modification or partial replacement of spirit and scope of the invention, all should contain in the middle of scope of the presently claimed invention.
Claims (6)
1. a malicious code sample extracting method based on document type bug, it is characterised in that including:
Shellcode in step 1, locating documents;
The shellcode that step 2, extraction navigate to;
Step 3, described shellcode is converted into PE file;
Step 4, run described PE file, and judge whether described PE file has the behavior of releasing document, if, then the file of release is extracted as malicious code sample, otherwise judge whether described PE file has the behavior downloading file, the most then the file of download is extracted as malicious code sample, otherwise abandon described document is carried out malicious code sample extraction.
2. the method for claim 1, it is characterised in that the method for the shellcode in locating documents described in step 1 includes:
Step a, document is carried out known bugs detection, and determine whether leak to be detected, the most then utilize the shellcode in described leak locating documents, otherwise perform step b;
Step b, extract the embedded document of described document, if extracting successfully, performing step a, otherwise performing step c;
Step c, the data in document are carried out resolve restoring operation, and the data for different-format carry out shellcode detection respectively, it is determined whether shellcode detected, if, the then shellcode in locating documents, the most described document does not contains shellcode.
3. the method for claim 1, it is characterised in that the malicious code sample for extracting cultivates, and then obtains the association malicious code sample of described malicious code sample.
4. a malicious code sample extraction system based on document type bug, it is characterised in that including:
Locating module, the shellcode in locating documents;
Extraction module, for extracting the shellcode navigated to;
Conversion module, for being converted into PE file by described shellcode;
Dispose module, run described PE file, and judge whether described PE file has the behavior of releasing document, if, then the file of release is extracted as malicious code sample, otherwise judge whether described PE file has the behavior downloading file, if, then the file of download is extracted as malicious code sample, otherwise abandon described document is carried out malicious code sample extraction.
5. system as claimed in claim 4, it is characterised in that described locating module includes following submodule:
Known bugs detection sub-module, for document carries out known bugs detection, and determines whether leak to be detected, the most then utilize the shellcode in described leak locating documents, otherwise sent by described document to embedded document extraction submodule;
Embedded document extracts submodule, receives and sends the document of coming, and extracts the embedded document of described document, if extracting successfully, sends described embedded document to known bugs detection sub-module, is otherwise sent by described document to resolving reduction submodule;
Resolve reduction submodule, receive and send the document of coming, and carry out resolving restoring operation to the data in document, and the data for different-format carry out shellcode detection respectively, determine whether shellcode to be detected, the most then shellcode in locating documents, the most described document does not contains shellcode.
6. system as claimed in claim 4, it is characterised in that also include: cultivation module, cultivates for the malicious code sample for extracting, and then obtains the association malicious code sample of described malicious code sample.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210497712.XA CN103294951B (en) | 2012-11-29 | 2012-11-29 | A kind of malicious code sample extracting method based on document type bug and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210497712.XA CN103294951B (en) | 2012-11-29 | 2012-11-29 | A kind of malicious code sample extracting method based on document type bug and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103294951A CN103294951A (en) | 2013-09-11 |
| CN103294951B true CN103294951B (en) | 2016-09-07 |
Family
ID=49095793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210497712.XA Active CN103294951B (en) | 2012-11-29 | 2012-11-29 | A kind of malicious code sample extracting method based on document type bug and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103294951B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160381051A1 (en) * | 2015-06-27 | 2016-12-29 | Mcafee, Inc. | Detection of malware |
| CN106874758B (en) * | 2016-08-22 | 2021-03-16 | 创新先进技术有限公司 | Method and device for identifying document code |
| CN106372508B (en) * | 2016-08-30 | 2020-05-12 | 北京奇虎科技有限公司 | Malicious document processing method and device |
| CN109768945A (en) * | 2017-11-09 | 2019-05-17 | 国网青海省电力公司电力科学研究院 | A kind of detection device and discovery method of any file download loophole |
| CN109472142A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of automatic method of disposal of malicious code and system |
| CN110717180B (en) * | 2018-07-13 | 2021-09-28 | 北京安天网络安全技术有限公司 | Malicious document detection method and system based on self-positioning behaviors and storage medium |
| CN110866252A (en) * | 2018-12-21 | 2020-03-06 | 北京安天网络安全技术有限公司 | Malicious code detection method and device, electronic equipment and storage medium |
| CN110348214B (en) * | 2019-07-16 | 2021-06-08 | 电子科技大学 | Method and system for detecting malicious codes |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
| CN101820419A (en) * | 2010-03-23 | 2010-09-01 | 北京大学 | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage |
| CN101826139A (en) * | 2009-12-30 | 2010-09-08 | 厦门市美亚柏科信息股份有限公司 | Method and device for detecting Trojan in non-executable file |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7228563B2 (en) * | 2003-02-06 | 2007-06-05 | Symantec Corporation | Shell code blocking system and method |
-
2012
- 2012-11-29 CN CN201210497712.XA patent/CN103294951B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
| CN101826139A (en) * | 2009-12-30 | 2010-09-08 | 厦门市美亚柏科信息股份有限公司 | Method and device for detecting Trojan in non-executable file |
| CN101820419A (en) * | 2010-03-23 | 2010-09-01 | 北京大学 | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103294951A (en) | 2013-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103294951B (en) | A kind of malicious code sample extracting method based on document type bug and system | |
| JP5992622B2 (en) | Malicious application diagnostic apparatus and method | |
| KR102415971B1 (en) | Apparatus and Method for Recognizing Vicious Mobile App | |
| CN104834859B (en) | The dynamic testing method of malicious act in a kind of Android applications | |
| KR101554633B1 (en) | Apparatus and method for detecting malicious code | |
| CN109753800A (en) | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm | |
| WO2013026320A1 (en) | Method and system for detecting webpage trojan embedded | |
| CN106295348B (en) | Vulnerability detection method and device for application program | |
| US10748185B2 (en) | Method for identifying bundled software and apparatus therefor | |
| CN106951780A (en) | Beat again the static detection method and device of bag malicious application | |
| CN104520871A (en) | Vulnerability vector information analysis | |
| CN103886229B (en) | Method and device for extracting PE file features | |
| CN104462962B (en) | A kind of method for detecting unknown malicious code and binary vulnerability | |
| CN103607413A (en) | Method and device for detecting website backdoor program | |
| JP2019514119A (en) | Hybrid Program Binary Feature Extraction and Comparison | |
| CN113158197B (en) | SQL injection vulnerability detection method and system based on active IAST | |
| CN104199704A (en) | Application program installation package clearing method and device | |
| CN105631325A (en) | Malicious application detection method and apparatus | |
| CN105975302A (en) | Application installation method and terminal | |
| CN105488414A (en) | Method and system for preventing malicious codes from detecting virtual environments | |
| CN115168847A (en) | Application patch generation method and device, computer equipment and readable storage medium | |
| CN103886258A (en) | Method and device for detecting viruses | |
| Feichtner et al. | Obfuscation-resilient code recognition in Android apps | |
| CN103390129A (en) | Method and device for detecting security of uniform resource locator | |
| CN109670317B (en) | Internet of things equipment inheritance vulnerability mining method based on atomic control flow graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a Patentee after: Beijing ahtech network Safe Technology Ltd Address before: 100080 Haidian District City, Zhongguancun, the main street, No. 1 Hailong building, room 1415, room 14 Patentee before: Beijing Antiy Electronic Installation Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Malicious code sample extraction method and system based on document type bug Effective date of registration: 20190719 Granted publication date: 20160907 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Beijing ahtech network Safe Technology Ltd Registration number: 2019230000008 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20210810 Granted publication date: 20160907 Pledgee: Bank of Longjiang Limited by Share Ltd. Harbin Limin branch Pledgor: BEIJING ANTIY NETWORK TECHNOLOGY Co.,Ltd. Registration number: 2019230000008 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |