CN103810427A - Mining method and system for malicious code hiding behaviors - Google Patents

Mining method and system for malicious code hiding behaviors Download PDF

Info

Publication number
CN103810427A
CN103810427A CN201410058889.9A CN201410058889A CN103810427A CN 103810427 A CN103810427 A CN 103810427A CN 201410058889 A CN201410058889 A CN 201410058889A CN 103810427 A CN103810427 A CN 103810427A
Authority
CN
China
Prior art keywords
malicious code
behavior
execution
judgment
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410058889.9A
Other languages
Chinese (zh)
Other versions
CN103810427B (en
Inventor
王蕊
林子敏
张道娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201410058889.9A priority Critical patent/CN103810427B/en
Publication of CN103810427A publication Critical patent/CN103810427A/en
Application granted granted Critical
Publication of CN103810427B publication Critical patent/CN103810427B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a mining method and system for malicious code hiding behaviors. The method includes the steps that malicious codes are operated in a virtual environment; whether related instructions and functions related with hiding behavior routes are included in instruction information and function information executed by the malicious codes or not is judged; if execution information related with time delay hiding is detected, the malicious codes are made to continuously execute follow-up instructions and functions through ending corresponding time delay behaviors; if execution information related with conditional judgment hiding is detected, the execution information is classified according to conditional judgment, and possible execution routes of the malicious codes are mined through meeting execution conditions of different routes; analyzed various behavior route information executed by the malicious codes is used for generating a malicious code behavior route tree. The malicious code hiding behaviors avoiding analyzing in the modes of time delay hiding and conditional judgment hiding can be effectively mined, the various hiding behavior routes possibly existing are effectively found out, and the capacity for analyzing and mining the malicious code hiding behaviors is improved.

Description

一种恶意代码隐藏行为挖掘方法及系统A method and system for mining malicious code hiding behavior

技术领域technical field

本发明属于网络安全技术领域,具体涉及一种恶意代码隐藏行为挖掘方法及系统。The invention belongs to the technical field of network security, and in particular relates to a method and system for mining malicious code hiding behaviors.

背景技术Background technique

伴随着信息化不断推进以及技术的不断发展,其重要威胁之一的恶意代码技术也在不断的进步,为了躲避分析和检测,恶意代码的隐藏能力、变形能力和生存能力在不断地增强。恶意代码通过各种技术手段隐藏起自身的一些有害行为,导致普通的分析及检测工具无法及时地检测到其恶意行为,从而在需要的时候产生破坏威胁互联网及计算机系统的安全性。With the continuous advancement of informatization and the continuous development of technology, malicious code technology, one of its important threats, is also constantly improving. In order to avoid analysis and detection, the hiding ability, deformation ability and survivability of malicious code are constantly increasing. Malicious code hides some of its own harmful behaviors through various technical means, so that ordinary analysis and detection tools cannot detect its malicious behaviors in time, thereby causing damage and threatening the security of the Internet and computer systems when necessary.

目前,恶意代码的隐藏手段主要包括:(1)在系统中隐藏其踪迹,例如进程信息等。(2)自身包含正常行为路径和恶意行为路径,在一定条件下才实施恶意行为。例如在探测到分析及检测环境时便隐藏其恶意行为,从而躲避检测。传统的动态分析手段通常只能分析恶意代码当前执行的行为路径,不能很好地分析检测到隐藏行为及路径的存在。因此,提高恶意代码隐藏行为及路径的分析能力成为恶意代码防护中需要解决的一个重要问题。At present, the means of hiding malicious codes mainly include: (1) hiding its traces in the system, such as process information and so on. (2) It contains normal behavior paths and malicious behavior paths, and only performs malicious behaviors under certain conditions. For example, it hides its malicious behavior when it detects the analysis and detection environment, so as to avoid detection. Traditional dynamic analysis methods usually can only analyze the behavior path currently executed by malicious code, and cannot analyze and detect the existence of hidden behavior and paths well. Therefore, improving the analysis ability of malicious code hiding behavior and path has become an important problem to be solved in malicious code protection.

已有恶意代码分析方法中,静态分析可全面分析恶意代码包含的所有路径,从而挖掘其可能存在的隐藏行为,但是,通常情况下,恶意代码的源代码无法获取,要想分析期待吗,只有依赖于反汇编反编译软件。但是恶意代码通常会使用一些混淆技术干扰这类软件,导致其很难准确还原代码。而动态分析虽然可以在恶意代码执行过程中获取其行为,但是局限于单一执行路径,即只能获取当前执行过程中展现出的一条行为路径。对于有多种行为路径的恶意代码,尤其是在多种无害行为路径中隐藏一条恶意行为路径的恶意代码,无法有效地开展分析。Among the existing malicious code analysis methods, static analysis can comprehensively analyze all the paths contained in the malicious code, so as to discover its possible hidden behaviors. However, usually, the source code of the malicious code cannot be obtained. Rely on disassembly and decompilation software. However, malicious codes usually use some obfuscation techniques to interfere with such software, making it difficult to restore the code accurately. Although dynamic analysis can obtain its behavior during the execution of malicious code, it is limited to a single execution path, that is, it can only obtain one behavior path displayed during the current execution process. Malicious codes with multiple behavior paths, especially malicious codes that hide a malicious behavior path among multiple harmless behavior paths, cannot be effectively analyzed.

随着恶意代码分析检测技术的发展,恶意代码开发者也不断更新其技术手段,为了躲避分析检测,目前已经出现了检测虚拟分析环境从而隐藏行为的方法,以及只有在特定条件下才实施其恶意行为的隐藏手段。为恶意代码分析及防范工作带来了巨大的挑战。With the development of malicious code analysis and detection technology, malicious code developers are also constantly updating their technical means. In order to avoid analysis and detection, there have been methods to detect virtual analysis environments to hide behaviors, and implement their malicious code only under certain conditions. means of concealment of behavior. It has brought great challenges to malicious code analysis and prevention.

研究恶意代码隐藏行为的分析方法,从而全面、有效地分析恶意代码的隐藏行为,进一步有效指导恶意代码检测,是恶意代码防御工作中的重要基础问题。当前恶意代码隐藏行为分析方法中的主要问题有:动态分析只分析一段时间内恶意代码执行的行为,对于一些延时隐藏的行为容易漏报;动态分析过程只能分析当前执行的行为,无法对特定条件下才出现的隐性恶意行为路径实施有效地分析,对于探测运行环境及条件而隐藏恶意行为的恶意代码无法实施有效的分析;动态分析大多是追踪被动分析,缺少有效主动发掘恶意代码隐藏行为的方法。Researching the analysis method of malicious code hiding behavior, so as to comprehensively and effectively analyze the hiding behavior of malicious code, and further effectively guide the detection of malicious code, is an important basic problem in the work of malicious code defense. The main problems in the current malicious code hiding behavior analysis methods are: dynamic analysis only analyzes the behavior of malicious code execution within a period of time, and it is easy to miss some delayed hidden behaviors; the dynamic analysis process can only analyze the currently executed behavior, and cannot The hidden malicious behavior path that appears only under certain conditions can be effectively analyzed, and the malicious code that detects the operating environment and conditions to hide the malicious behavior cannot be effectively analyzed; most of the dynamic analysis is tracking passive analysis, which lacks effective and active exploration of hidden malicious code. method of behavior.

发明内容Contents of the invention

本发明的目的在于提供一种恶意代码隐藏行为挖掘方法及系统,通过在动态运行过程中分析恶意代码执行代码中可能存在的延时和条件控制语句,为其提供满足其可能执行的行为路径的条件,主动触发其可能的潜在隐藏行为,从而主动发掘出恶意代码的隐藏行为,实现隐藏行为分析。The purpose of the present invention is to provide a malicious code hidden behavior mining method and system, by analyzing the delay and conditional control statements that may exist in the malicious code execution code during the dynamic running process, to provide it with a behavior path that satisfies its possible execution conditions, and actively trigger its potential hidden behavior, so as to actively discover the hidden behavior of malicious code and realize hidden behavior analysis.

本发明的主要内容是:将待分析的恶意代码在可控环境中运行,监控其执行信息,针对延时执行和条件判断两种隐藏行为,通过监控相关的实现指令和函数,向其输入满足隐藏行为执行的相关条件,使其执行相关行为路径,实现隐藏行为的挖掘。The main content of the present invention is: run the malicious code to be analyzed in a controllable environment, monitor its execution information, aim at the two hidden behaviors of delayed execution and conditional judgment, and input satisfying Hide the relevant conditions of behavior execution, make it execute related behavior paths, and realize the mining of hidden behaviors.

具体地,本发明采用的技术方案如下:Specifically, the technical scheme adopted in the present invention is as follows:

一种恶意代码隐藏行为挖掘方法,其步骤包括:A method for mining malicious code hiding behaviors, the steps of which include:

1)在虚拟环境中运行恶意代码,逐条监控恶意代码执行的指令信息和函数信息;1) Run malicious code in a virtual environment, and monitor the instruction information and function information of malicious code execution one by one;

2)判断恶意代码执行的指令信息和函数信息中是否有隐藏行为路径相关的指令和函数,所述隐藏行为包含延时隐藏和条件判断隐藏两类;2) Determine whether there are instructions and functions related to the hidden behavior path in the instruction information and function information executed by the malicious code. The hidden behavior includes delay hiding and condition judgment hiding;

3)若检测到延时隐藏相关的执行信息,通过结束相应的延时行为使恶意代码继续执行其后续指令和函数;3) If the delay is detected to hide relevant execution information, the malicious code will continue to execute its subsequent instructions and functions by ending the corresponding delay behavior;

4)若检测到条件判断隐藏相关的执行信息,根据其条件判断分类,通过满足其不同路径的执行条件,发掘恶意代码的可能执行路径;4) If the condition is detected and the relevant execution information is hidden, the classification is judged according to the condition, and the possible execution path of the malicious code is discovered by satisfying the execution conditions of its different paths;

5)将分析完成的恶意代码执行的多种可能行为路径信息以树的形式表示,生成恶意代码行为路径树。5) The various possible behavior path information of the analyzed malicious code execution is represented in the form of a tree to generate a malicious code behavior path tree.

进一步地,步骤1)所述的恶意代码执行的指令信息和函数信息的监控方法为:将待分析的恶意代码运行于硬件模拟环境中,通过动态反汇编,监控恶意代码执行的指令序列;通过挂钩函数,监控相关函数信息。Further, the monitoring method of the instruction information and function information of the malicious code execution described in step 1) is: run the malicious code to be analyzed in a hardware simulation environment, and monitor the instruction sequence of the malicious code execution through dynamic disassembly; Hook function, monitor related function information.

进一步地,步骤2)所述的隐藏行为路径相关的指令和函数,可由用户根据需要自行定义,本发明中主要分为延时隐藏和条件判断隐藏两类。Furthermore, the instructions and functions related to the hidden behavior path described in step 2) can be defined by the user according to the needs. In the present invention, it is mainly divided into two types: delay hiding and conditional judgment hiding.

进一步地,步骤2)所述的延时隐藏是指恶意代码通过一些手段延迟恶意行为的出现,以躲避有限分析事件的动态分析;所述的条件判断隐藏是指恶意代码在执行恶意行为之前,通过判断一些执行条件,例如系统及网络状态等,当一定条件满足时才执行恶意行为。Further, the delay concealment in step 2) means that the malicious code delays the appearance of the malicious behavior by some means to avoid the dynamic analysis of limited analysis events; the conditional judgment concealment means that the malicious code, before executing the malicious behavior, By judging some execution conditions, such as system and network status, etc., malicious actions are executed only when certain conditions are met.

进一步地,步骤3)所述的延时隐藏主要包括通过sleep函数延时和循环延时两类常用延时隐藏行为。Further, the delay concealment described in step 3) mainly includes two common delay concealment behaviors, delay by sleep function and delay by cycle.

进一步地,步骤3)所述的结束相应的延时行为的方法是:针对sleep函数,通过将硬件时间调整为其之后的时间结束该函数;针对循环延时,通过修改相应寄存器标志位结束循环的方法来实现。Further, the method of ending the corresponding delay behavior described in step 3) is: for the sleep function, end the function by adjusting the hardware time to the time after it; for the loop delay, end the loop by modifying the corresponding register flag bit method to achieve.

进一步地,步骤4)所述的条件判断隐藏主要包括:用户交互条件和独立条件判断两大类,其中用户互动条件是指判断是否有用户输入事件(包括鼠标和键盘事件),独立判断条件只是在执行过程中判断各类不需人工干预的各类系统及网络条件等。Further, the hidden condition judgment in step 4) mainly includes two categories: user interaction condition and independent condition judgment, wherein the user interaction condition refers to judging whether there is a user input event (including mouse and keyboard events), and the independent judgment condition is only Judging various system and network conditions that do not require manual intervention during the execution process.

进一步地,步骤4)中所述的满足不同路径的执行条件的方法是:分析恶意代码执行过程中的条件判断语句,针对用户交互条件判断,当发现等待键盘和鼠标事件的条件判断语句时,启动相应的函数调用模块发送相应的键盘和鼠标信息满足其执行条件;针对独立条件判断,保存条件判断语句发生时系统映像(snapshot)和判断表达式,然后继续执行,当前路径执行完毕时,会退到保存映像的位置,更改其判断条件的结果,使其执行其他路径从而挖掘隐藏执行路径,若在执行过程中遇到多次条件判断,则通过计算路径中所有判断表达式的结果判断可能的条件值。Further, the method for satisfying the execution conditions of different paths described in step 4) is: analyze the conditional judgment statement in the malicious code execution process, and judge the user interaction condition, when the conditional judgment statement waiting for keyboard and mouse events is found, Start the corresponding function call module and send the corresponding keyboard and mouse information to meet its execution conditions; for independent condition judgment, save the system image (snapshot) and judgment expression when the condition judgment statement occurs, and then continue to execute. When the current path is executed, it will Return to the location where the image is saved, change the result of the judgment condition, make it execute other paths to dig out the hidden execution path, if multiple condition judgments are encountered during the execution process, judge the possibility by calculating the results of all judgment expressions in the path conditional value.

一种恶意代码隐藏行为挖掘系统,其包括:A malicious code hiding behavior mining system, which includes:

硬件模拟器,用于虚拟执行环境以运行和监控恶意代码;Hardware emulators for virtual execution environments to run and monitor malicious code;

指令信息监控模块,集成在硬件模拟器的指令翻译模块中,用于在运行过程中监控并记录恶意代码执行的指令信息;The instruction information monitoring module is integrated in the instruction translation module of the hardware simulator, which is used to monitor and record the instruction information of malicious code execution during the running process;

函数信息监控模块,集成在硬件模拟器中,并连接指令信息监控记录模块,用于在恶意代码运行过程中,通过判断指令跳转和模拟内存数据监控恶意代码执行的函数信息;The function information monitoring module is integrated in the hardware simulator and connected to the instruction information monitoring and recording module, which is used to monitor the function information of malicious code execution by judging instruction jumps and simulating memory data during the running of malicious code;

条件判断分析模块,连接指令信息监控模块和函数信息监控模块,用于检测恶意代码执行的指令和函数信息中的条件判断语句;The conditional judgment analysis module is connected to the instruction information monitoring module and the function information monitoring module, and is used to detect conditional judgment statements in instructions executed by malicious code and function information;

条件输入模块,连接条件判断分析模块和硬件模拟器的虚拟执行环境,用于产生在分析过程中使代码执行不同行为路径所需要的条件输入;The conditional input module connects the conditional judgment analysis module and the virtual execution environment of the hardware simulator, and is used to generate the conditional input required to make the code execute different behavior paths during the analysis process;

运行映像模块,连接硬件模拟器的虚拟执行环境、条件判断分析模块和条件输入模块,用于记录有多种可能执行路径时执行每条路径之前的系统及代码状态映像;The running image module is connected to the virtual execution environment of the hardware simulator, the condition judgment analysis module and the condition input module, and is used to record the system and code state image before executing each path when there are multiple possible execution paths;

行为树构建模块,连接指令信息监控模块、函数信息监控模块、条件分析判断模块和条件输入模块,用于根据获取的恶意代码不同行为路径构建恶意代码行为路径树。The behavior tree construction module is connected with the instruction information monitoring module, the function information monitoring module, the condition analysis and judgment module and the condition input module, and is used to construct a malicious code behavior path tree according to different behavior paths of the obtained malicious code.

本发明的优点和积极效果如下:Advantage of the present invention and positive effect are as follows:

本发明针对恶意代码动态分析局限于有限时间单一路径的问题,通过分析恶意代码常用的隐藏行为方法,利用可控环境下监控判断和主动挖掘的分析方法,可有效挖掘恶意代码通过延时隐藏和条件判断隐藏的方式躲避分析的隐藏行为,有效发现其可能存在的多种隐藏行为路径,从而提高了恶意代码的隐藏行为分析和挖掘能力。The present invention aims at the problem that the dynamic analysis of malicious codes is limited to a single path within a limited time, by analyzing the hidden behavior methods commonly used by malicious codes, and using the analysis method of monitoring judgment and active mining in a controllable environment, malicious codes can be effectively mined through delay hiding and Conditional judging hides the hidden behavior of the analysis and effectively discovers a variety of hidden behavior paths that may exist, thereby improving the hidden behavior analysis and mining capabilities of malicious code.

附图说明Description of drawings

图1是恶意代码隐藏行为挖掘方法流程图。FIG. 1 is a flowchart of a method for mining malicious code hiding behaviors.

图2是恶意代码隐藏行为挖掘系统模块图。Figure 2 is a block diagram of the malicious code hiding behavior mining system.

具体实施方式Detailed ways

下面通过具体实施例和附图,对本发明做进一步说明。The present invention will be further described below through specific embodiments and accompanying drawings.

如图1所示,本发明的恶意代码隐藏行为挖掘方法,包括如下步骤:As shown in Figure 1, the malicious code hidden behavior mining method of the present invention comprises the following steps:

1、监控并记录恶意代码动态执行的指令信息和函数信息。1. Monitor and record the instruction information and function information of the dynamic execution of malicious code.

本发明使用硬件模拟器在虚拟操作系统中动态运行待分析的恶意代码,并在硬件模拟器中监控并记录恶意代码执行的指令及函数信息。指令监控通过在硬件模拟器的中间翻译模块中,使用反汇编的方法实现逐条指令提取,并记录相应的指令信息。函数信息监控则通过在虚拟内存中识别系统数据结构,计算出相应的函数调用地址,然后通过指令跳转地址和函数调用地址的比较判断是否调用了需要监控的函数并记录相应信息。The invention uses a hardware simulator to dynamically run malicious codes to be analyzed in a virtual operating system, and monitors and records the instructions and function information executed by the malicious codes in the hardware simulator. Instruction monitoring uses the method of disassembly in the intermediate translation module of the hardware simulator to extract instruction by instruction and record the corresponding instruction information. Function information monitoring calculates the corresponding function call address by identifying the system data structure in the virtual memory, and then judges whether the function that needs to be monitored is called by comparing the instruction jump address with the function call address and records the corresponding information.

2、判断是否出现隐藏行为路径相关的指令和函数。2. Determine whether there are instructions and functions related to the hidden behavior path.

通过对恶意代码常用隐藏行为的分析,本发明中将恶意代码常用的隐藏行为分为延时隐藏和条件判断隐藏两大类。延时隐藏是指恶意代码通过延时执行恶意行为来躲避动态分析环境的检测的行为隐藏方法,条件判断隐藏是指恶意代码通过判断一些系统、网络以及用户交互条件,只在满足一定条件下才执行恶意行为的隐藏方法。Through the analysis of the commonly used hiding behaviors of malicious codes, the present invention divides the commonly used hiding behaviors of malicious codes into two categories: delay hiding and conditional judgment hiding. Delay concealment refers to the behavior concealment method that malicious code avoids the detection of the dynamic analysis environment by delaying the execution of malicious behavior. A hidden method of performing malicious actions.

延时隐藏的方法通常包括使用sleep函数的延时和循环延时两大类。针对sleep函数延时,本发明通过挂钩函数的方式进行sleep函数检测。针对循环延时,通过监控恶意代码执行的指令中是否含有循环,当发现存在循环时,进行进一步分析。The method of delay hiding usually includes two categories of delay and loop delay using the sleep function. Aiming at the delay of the sleep function, the present invention detects the sleep function by means of a hook function. For loop delay, by monitoring whether there is a loop in the instructions executed by the malicious code, when a loop is found, further analysis is performed.

对于条件判断隐藏,本发明根据是否包含用户交互将其分为用户交互条件和独立判断条件两大类。在恶意代码执行过程中,当监控到条件判断语句的时候,记录相关的信息,构建相应的映像文件记录当前系统及恶意代码执行的各类状态信息,然后提交到后续步骤对条件判断语句进行进一步分析及处理。For conditional judgment concealment, the present invention divides it into two categories: user interaction condition and independent judgment condition according to whether it includes user interaction. During the execution of malicious code, when the conditional judgment statement is monitored, relevant information is recorded, a corresponding image file is built to record various status information of the current system and malicious code execution, and then submitted to the next step for further processing of the conditional judgment statement Analysis and processing.

3、对检测到的延时隐藏行为,通过结束其相应延时行为使恶意代码继续执行。3. For the detected delayed hidden behavior, the malicious code continues to execute by ending the corresponding delayed behavior.

针对步骤2中检测到的延时隐藏行为进行相应的处理。当检测到sleep函数被调用时,读取堆栈中的延时时间,然后将硬件模拟器的时间调整到相应的延时时间之后,使条件满足,从而使恶意代码进一步执行后续行为。Perform corresponding processing for the delay concealment behavior detected in step 2. When it is detected that the sleep function is called, the delay time in the stack is read, and then the time of the hardware simulator is adjusted to the corresponding delay time, so that the condition is satisfied, so that the malicious code can further execute subsequent actions.

当检测到循环存在时。分析识别出循环控制流向前转移的指令,当再次执行到该转移指令的时候,通过将虚拟CPU中的EFLAGS寄存器相应的标志位至其反位的方式,使循环结束,从而使恶意代码开始执行后续行为。When a loop is detected to exist. Analyze and identify the forward transfer instruction of the loop control flow. When the transfer instruction is executed again, the loop ends by setting the corresponding flag bit of the EFLAGS register in the virtual CPU to its inverse position, so that the malicious code starts to execute follow-up behavior.

4、对检测到的条件判断语句可能导致的隐藏行为,通过满足其不同条件,挖掘潜在的隐藏行为路径。4. For the hidden behavior that may be caused by the detected conditional judgment statement, by satisfying its different conditions, dig out the potential hidden behavior path.

当步骤2检测到的条件判断语句时,分析其判断的条件,根据是否有用户交互进行不同的处理,当需要用户交互时,即判断是否有用户鼠标和键盘事件发生,此时,通过调用相应的鼠标接口函数do_mouse和键盘接口函数do_send_key发送相应的鼠标和键盘消息,以满足后续行为的执行条件。同时,在调用相应接口函数之前,记录相应的系统映像,在分析完此路径之后,退回到此映像,分析另一条没有满足交互时的行为信息,以得到较为全面的恶意代码行为。这里需要注意的是,由于大多数恶意代码通过检测是否有用户输入判断是否在真实环境而非分析环境中,因为,满足用户交互条件下可能执行的恶意行为的概率比较大,因此我们先分析满足的这一条件下的行为。When the condition judgment statement detected in step 2, analyze the judgment condition, and perform different processing according to whether there is user interaction. When user interaction is required, it is judged whether there is a user mouse and keyboard event. At this time, by calling the corresponding The mouse interface function do_mouse and the keyboard interface function do_send_key send corresponding mouse and keyboard messages to meet the execution conditions of subsequent actions. At the same time, before calling the corresponding interface function, record the corresponding system image, and return to this image after analyzing the path, and analyze the behavior information of another path that does not satisfy the interaction, so as to obtain a more comprehensive malicious code behavior. It should be noted here that since most malicious codes judge whether they are in the real environment rather than the analysis environment by detecting whether there is user input, because the probability of malicious behavior that satisfies the user interaction conditions is relatively high, so we first analyze and satisfy behavior under this condition.

如果是独立判断条件,即不需要用户交互的条件,则分析判断语句并保存当前系统映像。从第一次条件判断语句开始,保存系统映像和当前的判断条件,然后分析可能的不同后续分支路径。执行完一条路径后,回到相应的判断条件处的系统映像,然后执行不同的条件分支。从而挖掘恶意代码可能执行的不同行为路径。需要注意的是,如果在一条路径后续继续出现其他条件判断语句,则采用递归的方式逐层进行分析。此外,本发明为了降低不可能路径的消耗,在分析过程中保存路径中所有的条件判断语句,在新的条件判断语句产生时,通过计算该路径所有的条件判断,只分析满足所有路径条件即实际可能的数据结果产生的真实潜在路径。If it is an independent judgment condition, that is, a condition that does not require user interaction, analyze the judgment statement and save the current system image. Starting from the first condition judgment statement, save the system image and the current judgment condition, and then analyze possible different subsequent branch paths. After executing a path, return to the system image at the corresponding judgment condition, and then execute different conditional branches. In order to mine different behavior paths that malicious code may execute. It should be noted that if other conditional judgment statements continue to appear after a path, it will be analyzed layer by layer in a recursive manner. In addition, in order to reduce the consumption of impossible paths, the present invention saves all the conditional judgment sentences in the path during the analysis process, and when a new conditional judgment sentence is generated, by calculating all the conditional judgments of the path, only the analysis that satisfies all the path conditions is The real potential paths that result from actual possible data outcomes.

5、将恶意代码可能执行的行为路径构建为恶意代码行为路径树。5. Construct the behavior path that the malicious code may execute as a malicious code behavior path tree.

通过上述分析,可挖掘出恶意代码可能存在的隐藏行为。本发明将动态执行挖掘出的恶意代码各种行为以树的结构进行表示。恶意代码行为路径树的构造过程如下:恶意代码执行的第一条信息开始生成该行为树;此后,每执行的下一条信息作为子节点添加到该树;当检测到延时隐藏信息时,在相应执行信息节点标记延时条件,然后继续添加后续子节点;当检测到条件判断语句时,在相应的节点保存条件判断信息,然后根据不同的条件添加不同的子节点表示后续执行子树,即保存系统映像之后标记相应的节点,当分析玩一条路径后回到相应的节点添加其他子树,直到执行完毕。Through the above analysis, the possible hidden behavior of malicious code can be discovered. The present invention expresses various behaviors of malicious codes excavated by dynamic execution in a tree structure. The construction process of the malicious code behavior path tree is as follows: the first message executed by the malicious code starts to generate the behavior tree; after that, the next message executed every time is added to the tree as a child node; The corresponding execution information node marks the delay condition, and then continues to add subsequent child nodes; when the conditional judgment statement is detected, save the conditional judgment information in the corresponding node, and then add different child nodes according to different conditions to represent the subsequent execution subtree, that is After saving the system image, mark the corresponding node. After analyzing a path, return to the corresponding node to add other subtrees until the execution is completed.

以上实施例仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求所述为准。The above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Those of ordinary skill in the art can modify or equivalently replace the technical solution of the present invention without departing from the spirit and scope of the present invention. The scope of protection should be determined by the claims.

Claims (10)

1.一种恶意代码隐藏行为挖掘方法,其步骤包括:1. A malicious code hiding behavior mining method, the steps comprising: 1)在虚拟环境中运行恶意代码,逐条监控恶意代码执行的指令信息和函数信息;1) Run malicious code in a virtual environment, and monitor the instruction information and function information of malicious code execution one by one; 2)判断恶意代码执行的指令信息和函数信息中是否有隐藏行为路径相关的指令和函数,所述隐藏行为包含延时隐藏和条件判断隐藏两类;2) Determine whether there are instructions and functions related to the hidden behavior path in the instruction information and function information executed by the malicious code. The hidden behavior includes delay hiding and condition judgment hiding; 3)若检测到延时隐藏相关的执行信息,通过结束相应的延时行为使恶意代码继续执行其后续指令和函数;3) If the delay is detected to hide relevant execution information, the malicious code will continue to execute its subsequent instructions and functions by ending the corresponding delay behavior; 4)若检测到条件判断隐藏相关的执行信息,根据其条件判断分类,通过满足其不同路径的执行条件,发掘恶意代码的可能执行路径;4) If the condition is detected and the relevant execution information is hidden, the classification is judged according to the condition, and the possible execution path of the malicious code is discovered by satisfying the execution conditions of its different paths; 5)将动态分析完成的恶意代码执行的多路径行为信息以树的形式表示,生成恶意代码行为路径树。5) The multi-path behavior information of malicious code execution completed by dynamic analysis is represented in the form of a tree to generate a malicious code behavior path tree. 2.如权利要求1所述的方法,其特征在于:所述延时隐藏包含调用sleep函数延时和循环延时两种。2. The method according to claim 1, characterized in that: said delay concealment includes calling sleep function delay and loop delay. 3.如权利要求1所述的方法,其特征在于:所述条件判断隐藏包括用户交互条件和独立条件判断两大类,其中用户交互条件是指判断是否有用户输入事件,独立条件是在执行过程中判断各类不需人工干预的各类系统及网络条件。3. The method according to claim 1, characterized in that: said condition judgment concealment comprises two categories of user interaction condition and independent condition judgment, wherein user interaction condition refers to judging whether there is a user input event, and independent condition is to execute During the process, various system and network conditions that do not require manual intervention are judged. 4.如权利要求3所述的方法,其特征在于:所述用户输入事件包括鼠标和键盘事件。4. The method according to claim 3, wherein the user input events include mouse and keyboard events. 5.如权利要求1至3中任一项所述的方法,其特征在于,所述延时隐藏的处理方法是:当检测到sleep函数被调用时,读取堆栈中的延时时间,然后将硬件模拟器的时间调整到相应的延时时间之后,使条件满足,从而使恶意代码进一步执行后续行为;当检测到循环存在时,分析识别出循环控制流向前转移的指令,当再次执行到该转移指令时,通过将虚拟CPU中的EFLAGS寄存器相应的标志位至其反位的方式使循环结束,从而使恶意代码开始执行后续行为。5. The method according to any one of claims 1 to 3, wherein the processing method for hiding the delay is: when detecting that the sleep function is called, read the delay time in the stack, and then Adjust the time of the hardware simulator to the corresponding delay time, so that the conditions are met, so that the malicious code can further execute subsequent behaviors; when the existence of a loop is detected, the analysis identifies the instruction that the loop control flow moves forward, and when it is executed again During the transfer instruction, the cycle is ended by setting the corresponding flag bit of the EFLAGS register in the virtual CPU to its inverse position, so that the malicious code starts to execute subsequent actions. 6.如权利要求1至3中任一项所述的方法,其特征在于,检测到条件判断语句时的处理方法是:分析其判断的条件,出现用户交互条件判断时,记录相应的系统映像,通过调用鼠标接口函数do_mouse和键盘接口函数do_send_key发送相应的鼠标和键盘消息以满足后续行为的执行条件,在分析完此路径之后,退回到此映像,分析另一条没有满足交互时的行为信息;对于独立判断条件,分析判断语句并保存当前系统映像和判断条件,获取其可能的不同后续分支路径,执行完一条路径后,回到相应的系统映像执行不同的条件分支,从而挖掘恶意代码可能的不同行为路径。6. The method according to any one of claims 1 to 3, wherein the processing method when a condition judgment sentence is detected is: analyze the judgment condition, and record the corresponding system image when a user interaction condition judgment occurs , by calling the mouse interface function do_mouse and the keyboard interface function do_send_key to send corresponding mouse and keyboard messages to meet the execution conditions of subsequent behaviors, after analyzing this path, return to this image, and analyze another behavior information that does not satisfy the interaction; For independent judgment conditions, analyze the judgment statement and save the current system image and judgment conditions to obtain its possible different subsequent branch paths. After executing a path, return to the corresponding system image to execute different conditional branches, so as to mine possible malicious codes. different behavior paths. 7.如权利要求6所述的方法,其特征在于:在独立判断条件的分析过程中,如果在一条路径后续继续出现其他条件判断语句,则采用递归的方式逐层进行分析。7. The method according to claim 6, characterized in that: in the analysis process of independent judgment conditions, if other conditional judgment sentences continue to appear in the follow-up of a path, the analysis is carried out layer by layer in a recursive manner. 8.如权利要求7所述的方法,其特征在于:在分析过程中保存路径中所有的条件判断语句,在新的条件判断语句产生时,通过计算该路径所有的条件判断,只分析满足所有路径条件即实际可能的数据结果产生的真实潜在路径,以降低不可能路径的消耗。8. The method as claimed in claim 7, characterized in that: in the analysis process, all conditional judgment sentences in the path are saved, and when a new conditional judgment sentence is generated, all conditional judgments of the path are calculated, and only analysis that satisfies all conditions is performed. The path condition is the real potential path generated by the actual possible data results, so as to reduce the consumption of impossible paths. 9.如权利要求1所述的方法,其特征在于,所述恶意代码行为路径树的构造过程是:以恶意代码执行的第一条信息作为初始父节点开始生成行为树;此后,每执行的下一条信息作为子节点添加到该树;当检测到延时隐藏信息时,在相应执行信息节点标记延时条件,然后继续添加后续子节点;当检测到条件判断语句时,在相应的节点保存条件判断信息,然后根据不同的条件添加不同的子节点表示后续执行子树,即保存系统映像之后标记相应的节点,当分析玩一条路径后回到相应的节点添加其他子树,直到执行完毕。9. The method according to claim 1, wherein the construction process of the malicious code behavior path tree is as follows: the first information executed by the malicious code is used as the initial parent node to start generating the behavior tree; thereafter, each executed The next piece of information is added to the tree as a child node; when the delayed hidden information is detected, the delay condition is marked in the corresponding execution information node, and then continue to add subsequent child nodes; when the condition judgment statement is detected, it is saved in the corresponding node Conditional judgment information, and then add different child nodes according to different conditions to represent the subsequent execution subtree, that is, mark the corresponding node after saving the system image, and return to the corresponding node to add other subtrees after analyzing and playing a path until the execution is completed. 10.一种恶意代码隐藏行为挖掘系统,其特征在于,包括:10. A malicious code hiding behavior mining system, characterized in that it comprises: 硬件模拟器,用于虚拟执行环境以运行和监控恶意代码;Hardware emulators for virtual execution environments to run and monitor malicious code; 指令信息监控模块,集成在硬件模拟器的指令翻译模块中,用于在运行过程中监控并记录恶意代码执行的指令信息;The instruction information monitoring module is integrated in the instruction translation module of the hardware simulator, which is used to monitor and record the instruction information of malicious code execution during the running process; 函数信息监控模块,集成在硬件模拟器中,并连接指令信息监控记录模块,用于在恶意代码运行过程中,通过判断指令跳转和模拟内存数据监控恶意代码执行的函数信息;The function information monitoring module is integrated in the hardware simulator and connected to the instruction information monitoring and recording module, which is used to monitor the function information of malicious code execution by judging instruction jumps and simulating memory data during the running of malicious code; 条件判断分析模块,连接指令信息监控模块和函数信息监控模块,用于检测恶意代码执行的指令和函数信息中的条件判断语句;The conditional judgment analysis module is connected to the instruction information monitoring module and the function information monitoring module, and is used to detect conditional judgment statements in instructions executed by malicious code and function information; 条件输入模块,连接条件判断分析模块和硬件模拟器的虚拟执行环境,用于产生在分析过程中使代码执行不同行为路径所需要的条件输入;The conditional input module connects the conditional judgment analysis module and the virtual execution environment of the hardware simulator, and is used to generate the conditional input required to make the code execute different behavior paths during the analysis process; 运行映像模块,连接硬件模拟器的虚拟执行环境、条件判断分析模块和条件输入模块,用于记录有多种可能执行路径时执行每条路径之前的系统及代码状态映像;The running image module is connected to the virtual execution environment of the hardware simulator, the condition judgment analysis module and the condition input module, and is used to record the system and code state image before executing each path when there are multiple possible execution paths; 行为树构建模块,连接所述指令信息监控模块、函数信息监控模块、条件分析判断模块和条件输入模块,用于根据获取的恶意代码不同行为路径构建恶意代码行为路径树。The behavior tree construction module is connected to the instruction information monitoring module, function information monitoring module, condition analysis and judgment module and condition input module, and is used to construct a malicious code behavior path tree according to different behavior paths of the obtained malicious code.
CN201410058889.9A 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system Active CN103810427B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410058889.9A CN103810427B (en) 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410058889.9A CN103810427B (en) 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system

Publications (2)

Publication Number Publication Date
CN103810427A true CN103810427A (en) 2014-05-21
CN103810427B CN103810427B (en) 2016-09-21

Family

ID=50707180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410058889.9A Active CN103810427B (en) 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system

Country Status (1)

Country Link
CN (1) CN103810427B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104933359A (en) * 2015-05-19 2015-09-23 西北大学 Multi-execution path construction method for malicious software
WO2016078323A1 (en) * 2014-11-20 2016-05-26 华为技术有限公司 Malware detection method and apparatus
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Defense method and device for novel unknown malware
CN108304721A (en) * 2018-03-21 2018-07-20 河北师范大学 A kind of malicious code detection system
CN108875372A (en) * 2017-12-29 2018-11-23 哈尔滨安天科技股份有限公司 A kind of code detection method, device, electronic equipment and storage medium
CN110516445A (en) * 2019-08-07 2019-11-29 南方电网科学研究院有限责任公司 Identification method and device for anti-detection malicious code and storage medium
CN113572730A (en) * 2021-06-15 2021-10-29 郑州云智信安安全技术有限公司 Implementation method for actively and automatically trapping honeypots based on web
CN114647845A (en) * 2022-02-16 2022-06-21 中国科学院信息工程研究所 Detection and identification method and device for malicious sample delay codes

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885224A (en) * 2005-06-23 2006-12-27 福建东方微点信息安全有限责任公司 Computer anti-virus protection system and method
US20110283361A1 (en) * 2010-01-19 2011-11-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN102682229A (en) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 Malicious code behavior detection method based on virtualization technology
CN102984140A (en) * 2012-11-21 2013-03-20 中国人民解放军国防科学技术大学 Malicious software feature fusion analytical method and system based on shared behavior segments

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885224A (en) * 2005-06-23 2006-12-27 福建东方微点信息安全有限责任公司 Computer anti-virus protection system and method
US20110283361A1 (en) * 2010-01-19 2011-11-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
CN102682229A (en) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 Malicious code behavior detection method based on virtualization technology
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN102984140A (en) * 2012-11-21 2013-03-20 中国人民解放军国防科学技术大学 Malicious software feature fusion analytical method and system based on shared behavior segments

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016078323A1 (en) * 2014-11-20 2016-05-26 华为技术有限公司 Malware detection method and apparatus
US10565371B2 (en) 2014-11-20 2020-02-18 Huawei Technologies Co., Ltd. Malware detection method and malware detection apparatus
US10963558B2 (en) 2014-11-20 2021-03-30 Huawei Technologies Co., Ltd. Malware detection method and malware detection apparatus
CN104933359A (en) * 2015-05-19 2015-09-23 西北大学 Multi-execution path construction method for malicious software
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Defense method and device for novel unknown malware
CN105791323B (en) * 2016-05-09 2019-02-26 国家电网公司 Defense methods and devices for unknown malware
CN108875372A (en) * 2017-12-29 2018-11-23 哈尔滨安天科技股份有限公司 A kind of code detection method, device, electronic equipment and storage medium
CN108304721A (en) * 2018-03-21 2018-07-20 河北师范大学 A kind of malicious code detection system
CN110516445A (en) * 2019-08-07 2019-11-29 南方电网科学研究院有限责任公司 Identification method and device for anti-detection malicious code and storage medium
CN113572730A (en) * 2021-06-15 2021-10-29 郑州云智信安安全技术有限公司 Implementation method for actively and automatically trapping honeypots based on web
CN114647845A (en) * 2022-02-16 2022-06-21 中国科学院信息工程研究所 Detection and identification method and device for malicious sample delay codes

Also Published As

Publication number Publication date
CN103810427B (en) 2016-09-21

Similar Documents

Publication Publication Date Title
CN103810427B (en) A kind of malicious code hidden behaviour method for digging and system
JP5458184B2 (en) System and method for aggressive automatic correction in a dynamic function call system
JP6583838B2 (en) Application simulation
CN103765402B (en) What use mixed code signature tracing program calls context
CN100504903C (en) A Malicious Code Automatic Identification Method
CN110737895A (en) Extending dynamic detection of malware using static and dynamic malware analysis
US12093398B2 (en) Vulnerability analysis and reporting for embedded systems
Beaman et al. Fuzzing vulnerability discovery techniques: Survey, challenges and future directions
JP2013529335A5 (en)
CN101154257A (en) A Method of Dynamically Executing Patches Based on Vulnerability Characteristics
CN101159732A (en) Malicious attack detection method based on data flow analysis
CN105808430B (en) A kind of multi-semantic meaning dynamic stain analysis method
CN104850493A (en) Method and device for detecting loophole of source code
CN105488399A (en) Script virus detection method and system based on program keyword calling sequence
KR102273135B1 (en) Apparatus and method for generating test input a software using symbolic execution
JP2018005890A (en) Input discovery for unknown program binary
CN109840416A (en) Malicious code behavior automatic analysis system
CN101458630B (en) Self-modifying code identification method based on hardware emulator
EP3087527B1 (en) System and method of detecting malicious multimedia files
CN105653271B (en) Static parsing, execution and the optimization method and device of behavior tree
CN104850781A (en) Method and system for dynamic multilevel behavioral analysis of malicious code
CN104933359B (en) A kind of more execution route building methods of Malware
KR20150085741A (en) Method for normalizing dynamic behavior of process and detecting malicious code
CN104346542A (en) Vulnerability discovery method and device based on binary-system program
CN104008336A (en) ShellCode detecting method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant