CN104077526B - The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus - Google Patents
The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus Download PDFInfo
- Publication number
- CN104077526B CN104077526B CN201410281375.XA CN201410281375A CN104077526B CN 104077526 B CN104077526 B CN 104077526B CN 201410281375 A CN201410281375 A CN 201410281375A CN 104077526 B CN104077526 B CN 104077526B
- Authority
- CN
- China
- Prior art keywords
- polymorph
- virus
- instruction set
- instruction
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of analysis method of Polymorph virus and analytical equipment and treatment method of virus and processing unit, the analysis method of the Polymorph virus includes:File destination is infected by Polymorph virus, and infected file will be obtained as Polymorph virus infected file;Polymorph virus infected file is loaded by Instruction set simulator;Polymorph virus infected file is performed by Instruction set simulator, and obtains the instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;And by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.The analysis method of the Polymorph virus simplifies the processing method of polymorphic infection type virus, reduces the workload for analyzing polymorphic infection type virus, improves analysis efficiency.
Description
Technical field
The present invention relates to field of computer technology, the analysis method and analytical equipment and disease of more particularly to a kind of Polymorph virus
Malicious processing method and processing unit.
Background technology
With the development of computer technology, the species of computer virus is also more and more.Polymorphic infection type virus is a kind of
More complicated File Infector Virus, normal file can be infected into virus document.Due to polymorphic infection type virus make use of it is polymorphic
Engine, therefore during polymorphic infection type virus infection normal file, each polymorphic infection type virus is entered to normal file
The form of the code of row infection is all different.
At present, on polymorphic infection type virus, go to identify any AES using static treatment mode, be required for
Larger workload, and the scope that can be used by the key acquired in static treatment mode or encrypted location is often
Less, all AESs of polymorphic infection type virus can not be handled.Therefore, existing static treatment mode can not be answered effectively
In the processing procedure of polymorphic infection type virus, the processing method of polymorphic infection type virus is often complex, workload compared with
Greatly.
The content of the invention
It is contemplated that at least solves one of above-mentioned technical problem of the prior art to a certain extent.
Therefore, it is an object of the present invention to propose it is a kind of have processing method is simple, workload is small the advantages of it is more
The analysis method and analytical equipment of state virus, and treatment method of virus and processing unit.
The first aspect of the embodiment of the present invention proposes a kind of analysis method of Polymorph virus, including:Pass through Polymorph virus sense
File destination is contaminated, and infected file will be obtained as Polymorph virus infected file;Polymorph virus is loaded by Instruction set simulator
Infected file;Polymorph virus infected file is performed by Instruction set simulator, and obtains Instruction set simulator and is performing Polymorph virus sense
Contaminate the instruction set generated during file;And by preset instructions feature compared with the instruction in instruction set, to obtain decryption
Position.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained
The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file, so as to obtain Polymorph virus infected file
Decrypted positions, therefore without carrying out manual analysis to Polymorph virus infection sample, so as to simplify the place of polymorphic infection type virus
Reason method, the workload for analyzing polymorphic infection type virus is reduced, improves operating efficiency.
In one particular embodiment of the present invention, after decrypted positions are obtained, the analysis method of Polymorph virus is also wrapped
Include:Obtain and instructed corresponding to decrypted positions;Obtain the shape for performing register in Instruction set simulator when being instructed corresponding to decrypted positions
State;And decruption key is generated according to the state of register in Instruction set simulator.
In one particular embodiment of the present invention, by preset instructions feature compared with the instruction in instruction set to obtain
Decrypted positions are taken to specifically include:If the instruction in instruction set is identical with preset instructions feature, obtain and preset instructions feature
Position corresponding to identical instruction, and using position as decrypted positions.
In a preferred embodiment of the invention, Polymorph virus infected file is loaded by Instruction set simulator specifically to wrap
Include:Read the file content of Polymorph virus infected file;And the file content of the Polymorph virus infected file read is passed
Transport to Instruction set simulator.
The second aspect of the embodiment of the present invention proposes a kind of analytical equipment of Polymorph virus, including:Infect sample acquisition mould
Block, infection sample acquisition module is used to infect file destination by Polymorph virus, and will obtain infected file as polymorphic disease
Malicious infected file;Instruction set simulator, Instruction set simulator are used to load Polymorph virus infected file, and perform Polymorph virus infection text
Part;And instruction analysis module, instruction analysis module are used to obtain Instruction set simulator in execution Polymorph virus infected file when institute
The instruction set of generation, and by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained
The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file.So that the decryption of Polymorph virus infected file
Position can be obtained automatically by the dynamic analysis of instruction analysis module, without carrying out people's work point to Polymorph virus infection sample
Analysis, so as to simplify the processing method of polymorphic infection type virus, reduce the workload for analyzing polymorphic infection type virus.
In one particular embodiment of the present invention, instruction analysis module specifically includes:Instruction set acquisition submodule, instruction
Collection acquisition submodule is used to obtain the instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;And compare
Submodule, comparison sub-module are used for the finger in preset instructions feature and instruction set
In one particular embodiment of the present invention, instruction analysis module also includes:Acquisition submodule is instructed, instruction obtains
Submodule, which is used to obtain corresponding to decrypted positions, to be instructed;Buffer status acquisition submodule, buffer status acquisition submodule are used
In obtain perform decrypted positions corresponding to instruction when Instruction set simulator in register state;And decruption key generation submodule
Block, decruption key generation submodule are used to generate decruption key according to the state of register in Instruction set simulator.
In a preferred embodiment of the invention, if the instruction in instruction set is identical with preset instructions feature, refer to
Analysis module acquisition and the corresponding position of preset instructions feature identical instruction are made, and using position as decrypted positions.
In one particular embodiment of the present invention, the analytical equipment of Polymorph virus also includes:Pretreatment module, pretreatment
Module is used to reading the file content of Polymorph virus infected file, and by the file content of the Polymorph virus infected file read
Transmit to Instruction set simulator.
The third aspect of the embodiment of the present invention proposes a kind for the treatment of method of virus, including:Obtain Polymorph virus infected file;
Polymorph virus infected file is loaded by Instruction set simulator;Polymorph virus infected file is performed by Instruction set simulator, and obtained
The instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;By the finger in preset instructions feature and instruction set
Order is compared, to obtain decrypted positions;And repair Polymorph virus infected file according to decrypted positions.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained
The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file, so as to obtain Polymorph virus infected file
Decrypted positions, therefore without carrying out manual analysis to Polymorph virus infection sample, so as to simplify the place of polymorphic infection type virus
Reason method.
In a preferred embodiment of the invention, after decrypted positions are obtained, treatment method of virus also includes:Obtain
Instructed corresponding to decrypted positions;Obtain the state for performing register in Instruction set simulator when being instructed corresponding to decrypted positions;And
Decruption key is generated according to the state of register in Instruction set simulator.
In one particular embodiment of the present invention, by preset instructions feature compared with the instruction in instruction set to obtain
Decrypted positions are taken to specifically include:If the instruction in instruction set is identical with preset instructions feature, obtain and preset instructions feature
Position corresponding to identical instruction, and using position as decrypted positions.
In a preferred embodiment of the invention, Polymorph virus infected file is loaded by Instruction set simulator specifically to wrap
Include:Read the file content of Polymorph virus infected file;And the file content of the Polymorph virus infected file read is passed
Transport to Instruction set simulator.
In one particular embodiment of the present invention, Polymorph virus infected file is repaired according to decrypted positions to specifically include:
Decruption key is performed to obtain to being infected code corresponding to decrypted positions in Polymorph virus infected file by Instruction set simulator
Normal code corresponding to the infected code of Polymorph virus infected file;By Polymorph virus infected file and normal code send to
Clear up engine;And by clearing up engine using normal code reparation in decrypted positions, and remove Polymorph virus infected file
Viral code.
Embodiments of the invention fourth aspect proposes a kind of virus treated device, including:Infect sample acquisition module, instruction
Emulator, instruction analysis module and cleaning engine, wherein, sample acquisition module is infected, for infecting target by Polymorph virus
File, and infected file will be obtained as Polymorph virus infected file;Instruction set simulator, for loading Polymorph virus infection text
Part, and perform polymorphic infection sample;Instruction analysis module, for obtaining Instruction set simulator when performing Polymorph virus infected file
The instruction set generated, and by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions;It is and clear
Engine is managed, for repairing Polymorph virus infected file according to decrypted positions.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained
The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file.So that the decryption of Polymorph virus infected file
Position can be obtained automatically by the dynamic analysis of instruction analysis module, without carrying out people's work point to Polymorph virus infection sample
Analysis, so as to simplify the processing method of polymorphic infection type virus.
In a preferred embodiment of the invention, instruction analysis module specifically includes:Instruction set acquisition submodule, instruction
Collection acquisition submodule is used to obtain the instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;And compare
Submodule, comparison sub-module are used for by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.
In a preferred embodiment of the invention, instruction analysis module also includes:Acquisition submodule is instructed, instruction obtains
Submodule, which is used to obtain corresponding to decrypted positions, to be instructed;Buffer status acquisition submodule, buffer status acquisition submodule are used
In obtain perform decrypted positions corresponding to instruction when Instruction set simulator in register state;And decruption key generation submodule
Block, decruption key generation submodule are used to generate decruption key according to the state of register in Instruction set simulator.
In one particular embodiment of the present invention, if the instruction in instruction set is identical with preset instructions feature, refer to
Analysis module acquisition and the corresponding position of preset instructions feature identical instruction are made, and using position as decrypted positions.
In one particular embodiment of the present invention, Instruction set simulator also includes:Sample read module, sample read module
Transmitted for reading the file content of Polymorph virus infected file, and by the file content of the Polymorph virus infected file read
To Instruction set simulator;And sample execution module, sample execution module are used for the file content for receiving Polymorph virus infected file,
And the file content of Polymorph virus infected file is performed, and execution decruption key is right to obtain the infected part of file destination
The normal code answered.
In a preferred embodiment of the invention, cleaning engine specifically includes:Information receiving module, information receiving module
For receiving Polymorph virus infected file and normal code;Code replacement module, code replacement module are used to pass through normal code
Replace the code of the infected part of file destination;And viral cleaning modul, viral cleaning modul are used for the disease that will be replaced
Malicious code is removed.
Brief description of the drawings
Fig. 1 is the flow chart of the analysis method of Polymorph virus according to embodiments of the present invention;
Fig. 2 is the structural representation of the analytical equipment of Polymorph virus according to embodiments of the present invention;
Fig. 3 is the structural representation of virus treated device according to embodiments of the present invention;
Fig. 4 is the flow chart for the treatment of method of virus according to embodiments of the present invention;
Fig. 5 is the schematic flow sheet of the Polymorph virus analysis of virus treated device according to embodiments of the present invention;And
Fig. 6 is that the cleaning engine of virus treated device according to embodiments of the present invention repairs the stream of Polymorph virus infected file
Journey schematic diagram.
Embodiment
Embodiments of the invention are described below in detail, the example of embodiment is shown in the drawings, wherein identical from beginning to end
Or similar label represents same or similar element or the element with same or like function.Retouched below with reference to accompanying drawing
The embodiment stated is exemplary, it is intended to for explaining the present invention, and is not considered as limiting the invention.
In the description of the invention, " multiple " are meant that two or more, unless otherwise specifically defined.
In addition, for the ordinary skill in the art, the tool of above-mentioned term in the present invention can be understood as the case may be
Body implication.
The analysis method and analytical equipment of the Polymorph virus that it is proposed according to embodiments of the present invention described with reference to the accompanying drawings
And treatment method of virus and processing unit.
Fig. 1 is the flow chart of the analysis method of Polymorph virus according to embodiments of the present invention.
As shown in figure 1, in one embodiment of the invention, the analysis method of Polymorph virus, including:
S101, file destination is infected by Polymorph virus, and infected file will be obtained as Polymorph virus infected file.
In this embodiment of the invention, open and read detected Polymorph virus, file destination is carried out using the Polymorph virus
Infection, and then analysable Portable executable file (i.e. Portable Executable files, abbreviation PE files) is obtained,
That is Polymorph virus infected file.
S102, Polymorph virus infected file is loaded by Instruction set simulator.In one particular embodiment of the present invention, lead to
Instruction set simulator loading Polymorph virus infected file is crossed to specifically include:The file content of Polymorph virus infected file is read, and will
The file content of the Polymorph virus infected file read is transmitted to Instruction set simulator.
S103, Polymorph virus infected file is performed by Instruction set simulator, and obtain Instruction set simulator and performing polymorphic disease
The instruction set generated during malicious infected file.Specifically, in the file that Instruction set simulator receives Polymorph virus infected file
After appearance, Instruction set simulator can parse Polymorph virus infected file and simulate the code for performing the Polymorph virus infected file.
S104, by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.Wherein, it is viral
Encrypted location and repair Polymorph virus infected file decrypted positions be identical, all in the Polymorph virus infected file.
Specifically, if the instruction in instruction set is identical with preset instructions feature, obtain and instructed with preset instructions feature identical
Corresponding position, and using the position as decrypted positions.
Specifically, in one particular embodiment of the present invention, because the decrypted code of Polymorph virus is polymorphic form, and
Decipherment algorithm corresponding to the Polymorph virus is random.Therefore, after parsing and performing Polymorph virus infected file, will preset
Instruction features judge required solution confidential information compared with the instruction in instruction set, for example, Polymorph virus infection text
Part is characterized in identical after decryption function has been run.Specifically, the decrypting process of the Polymorph virus infected file is last
Code is fixed can to extract feature.Therefore, the decrypted positions of the Polymorph virus infected file can be obtained, and obtains and holds
The state of each register during the row Polymorph virus infected file, so as to obtain solution confidential information.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained
The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file, so as to obtain Polymorph virus infected file
Decrypted positions can be obtained automatically by the dynamic analysis of instruction analysis module, therefore without being carried out to Polymorph virus infection sample
Manual analysis, so as to simplify the processing method of polymorphic infection type virus, the workload for analyzing polymorphic infection type virus is reduced,
Improve operating efficiency.
In addition, in one particular embodiment of the present invention, after decrypted positions are obtained, the analysis side of the Polymorph virus
Method also includes:Obtain and instructed corresponding to decrypted positions;Obtain to perform and deposited when being instructed corresponding to decrypted positions in Instruction set simulator
The state of device;And decruption key is generated according to the state of register in Instruction set simulator.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained
The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file.So that the decryption of Polymorph virus infected file
Position can be obtained automatically by the dynamic analysis of instruction analysis module, without carrying out people's work point to Polymorph virus infection sample
Analysis, so as to simplify the processing method of polymorphic infection type virus, reduce the workload for analyzing polymorphic infection type virus.
Fig. 2 is the structural representation of the analytical equipment of Polymorph virus according to embodiments of the present invention.
As shown in Fig. 2 in one particular embodiment of the present invention, the analytical equipment of Polymorph virus includes:Infect sample
Acquisition module 10, pretreatment module 20, Instruction set simulator 30 and instruction analysis module 40.Wherein, sample acquisition module 10 is infected
For infecting file destination a by Polymorph virus, and infected file will be obtained as Polymorph virus infected file b.Pretreatment
Module 20 is used to reading Polymorph virus infected file b file content, and by the Polymorph virus infected file b read file
Content transmission is to Instruction set simulator 30.Instruction set simulator 30 is used to load Polymorph virus infected file b, and performs polymorphic infection text
Part b.Instruction analysis module 40 is used to obtain the instruction set that Instruction set simulator 30 is generated when performing Polymorph virus infected file b
C, and by preset instructions feature compared with the instruction in instruction set c, to obtain decrypted positions d.
As shown in Fig. 2 in a preferred embodiment of the invention, Instruction set simulator 30 specifically includes:Sample reads mould
Block 301 and sample execution module 302.Wherein, the sample read module 301 is used for the text for reading Polymorph virus infected file b
Part content.Sample execution module 302 is used for the file content for receiving Polymorph virus infected file b, and performs Polymorph virus infection
File b file content, and decruption key f is performed to obtain normal code corresponding to file destination a infected part.
In an embodiment of the present invention, because Polymorph virus infected file b decrypted positions are unfixed, therefore use
Decipherment algorithm be different, and can not be repaired by common Static Analysis Method or by general algorithm, can only
It is decrypted using Polymorph virus infected file b running.
As shown in Fig. 2 in one particular embodiment of the present invention, instruction analysis module 40 specifically includes:Instruction set obtains
Take submodule 401, comparison sub-module 402, instruction acquisition submodule 403, buffer status acquisition submodule 404 and decryption close
Key generates submodule 405.Wherein, instruction set acquisition submodule 401 is used to obtain Instruction set simulator 30 in execution Polymorph virus sense
Contaminate the instruction set c generated during file b.Comparison sub-module 402 is used to carry out the instruction in preset instructions feature and instruction set c
Compare, to obtain decrypted positions d.Instruction acquisition submodule 403, which is used to obtain corresponding to decrypted positions d, to be instructed.Buffer status
Acquisition submodule 404 is used to obtain the state e for performing register in Instruction set simulator 30 when instructing corresponding to decrypted positions d.Solution
Key generation submodule 405 is used to generate decruption key f according to the state e of register in Instruction set simulator 30.Due to instruction
Emulator 30 can be with load operating Polymorph virus infected file b, and calculating simulation every needs the instruction that performs, so polymorphic
The state e of each register of Instruction set simulator 30 when viral infected file b each instruction and execute instruction all may be used
To obtain.Meanwhile during Instruction set simulator 30 performs Polymorph virus infected file b, it can dynamically decrypt and perform and added
Close file destination a.
Preferably, in one embodiment of the invention, if the instruction in instruction set c is identical with preset instructions feature,
The then acquisition of instruction analysis module 401 and the corresponding position of preset instructions feature identical instruction, and using position as decrypted positions
d。
Fig. 3 is the structural representation of virus treated device according to embodiments of the present invention.
As shown in figure 3, in one particular embodiment of the present invention, virus treated device includes:Infect sample acquisition mould
Block 10, pretreatment module 20, Instruction set simulator 30, instruction analysis module 40 and cleaning engine 50.Wherein, sample acquisition mould is infected
Block 10 is used to infect file destination a by Polymorph virus, and will obtain infected file as Polymorph virus infected file b.In advance
Processing module 20 is used for the file content for reading Polymorph virus infected file b, and by the Polymorph virus infected file b's read
File content is transmitted to Instruction set simulator 30.Instruction set simulator 30 is used to load Polymorph virus infected file b, and performs polymorphic sense
Contaminate file b.Instruction analysis module 40 is used to obtain the finger that Instruction set simulator 30 is generated when performing Polymorph virus infected file b
Order collection c, and by preset instructions feature compared with the instruction in instruction set c, to obtain decrypted positions d.Cleaning engine 50 is used
According to decrypted positions d.
As shown in figure 3, in a preferred embodiment of the invention, Instruction set simulator 30 specifically includes:Sample reads mould
Block 301 and sample execution module 302.Wherein, the sample read module 301 is used for the text for reading Polymorph virus infected file b
Part content.Sample execution module 302 is used for the file content for receiving Polymorph virus infected file b, and performs Polymorph virus infection
File b file content, and decruption key f is performed to obtain normal code corresponding to file destination a infected part.
As shown in figure 3, in one particular embodiment of the present invention, instruction analysis module 40 specifically includes:Instruction set obtains
Take submodule 401, comparison sub-module 402, instruction acquisition submodule 403, buffer status acquisition submodule 404 and decryption close
Key generates submodule 405.Wherein, instruction set acquisition submodule 401 is used to obtain Instruction set simulator 30 in execution Polymorph virus sense
Contaminate the instruction set c generated during file b.Comparison sub-module 402 is used to carry out the instruction in preset instructions feature and instruction set c
Compare, to obtain decrypted positions d.Instruction acquisition submodule 403, which is used to obtain corresponding to decrypted positions d, to be instructed.Buffer status
Acquisition submodule 404 is used to obtain the state e for performing register in Instruction set simulator 30 when instructing corresponding to decrypted positions d.Solution
Key generation submodule 405 is used to generate decruption key f according to the state e of register in Instruction set simulator 30.
As shown in figure 3, in one embodiment of the invention, cleaning engine, which has 50 bodies, to be included:Information receiving module 501,
Code replacement module 502 and viral cleaning modul 503.In this embodiment of the invention, information receiving module 501 is used to connect
Receive Polymorph virus infected file b and normal code g.Code replacement module 502 is used to replace file destination a by normal code g
Infected part code.Viral cleaning modul 503 is used to remove the viral code being replaced.
Preferably, in one embodiment of the invention, if the instruction in instruction set c is identical with preset instructions feature,
The then acquisition of instruction analysis module 401 and the corresponding position of preset instructions feature identical instruction, and using position as decrypted positions
d。
Fig. 4 is the flow chart for the treatment of method of virus according to embodiments of the present invention.
As shown in figure 4, in one particular embodiment of the present invention, treatment method of virus includes:
S201, obtain Polymorph virus infected file.
S202, Polymorph virus infected file is loaded by Instruction set simulator.In this embodiment of the invention, S202 is specific
Including:Read the file content of Polymorph virus infected file;And the file content by the Polymorph virus infected file read
Transmit to Instruction set simulator.
S203, Polymorph virus infected file is performed by Instruction set simulator, and obtain Instruction set simulator and performing polymorphic disease
The instruction set generated during malicious infected file.
S204, by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.The present invention's
In the embodiment, if the instruction in instruction set is identical with preset instructions feature, acquisition refers to preset instructions feature identical
Position corresponding to order, and using position as decrypted positions.In addition, in the present embodiment, after decrypted positions are obtained, the virus
Processing method also includes:Obtain and instructed corresponding to decrypted positions;Obtain and perform Instruction set simulator when being instructed corresponding to decrypted positions
The state of middle register;Decruption key is generated according to the state of register in Instruction set simulator.
S205, Polymorph virus infected file is repaired according to decrypted positions.In this embodiment of the invention, S205 is specifically wrapped
Include:Decruption key is performed to obtain to being infected code corresponding to decrypted positions in Polymorph virus infected file by Instruction set simulator
Take normal code corresponding to the infected code of Polymorph virus infected file;Polymorph virus infected file and normal code are sent
To cleaning engine;And by clearing up engine using normal code reparation in decrypted positions, and remove Polymorph virus infected file
Viral code.
Fig. 5 is the schematic flow sheet of the Polymorph virus analysis of virus treated device according to embodiments of the present invention, and Fig. 6 is root
The schematic flow sheet of Polymorph virus infected file is repaired according to the cleaning engine of the virus treated device of the embodiment of the present invention.
As shown in Figure 5 and Figure 6, in one particular embodiment of the present invention, obtain Polymorph virus infected file b it
Afterwards, Polymorph virus infected file b is transferred to Instruction set simulator 30.Then the polymorphic disease is performed by the Instruction set simulator 30
Malicious infected file b, and obtain the instruction set c that the Instruction set simulator 30 is generated when performing Polymorph virus infected file b.Root
Decrypted positions d is obtained according to instruction set c, the associated decryption information such as decruption key are obtained according to decrypted positions d.Finally will be polymorphic
Viral infected file b gives cleaning engine 50 with the decryption information transmission obtained in execution emulator 30.Clearing up engine 50 will decrypt
The position corresponding to of normal code reparation out, and remaining viral code is removed, and then repaired Polymorph virus infection
File b.Specifically, although polymorphic virus infection file b decipherment algorithm and position are not fixed, polymorphic infection disease
Malicious file b implementation procedure is detectable.Because the code of implementation procedure is single, even in polymorphic virus infection file
Rubbish instruction is with the addition of in b to be obscured, and still the process can be detected by instruction analysis module 40.In polymorphic infection disease
In malicious file b implementation procedure, the position of infected normal code, and the method by detecting instruction features are detected, is obtained
Get the code position and length after being infected.Normal code is copied into normal code using the code position and length to correspond to
Infected position, so as to repair file destination a.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or the spy for combining the embodiment or example description
Point is contained at least one embodiment or example of the present invention.In this manual, to the schematic representation of above-mentioned term not
Identical embodiment or example must be directed to.Moreover, specific features, structure, material or the feature of description can be with office
What combined in an appropriate manner in one or more embodiments or example.In addition, those skilled in the art can say this
Different embodiments or example described in bright book are engaged and combined.
Although embodiments of the invention have been shown and described above, it is to be understood that above-described embodiment is example
Property, it is impossible to limitation of the present invention is interpreted as, one of ordinary skill in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, changed, replacing and modification.
Claims (17)
- A kind of 1. analysis method of Polymorph virus, it is characterised in that including:File destination is infected by Polymorph virus, and infected file will be obtained as Polymorph virus infected file;The Polymorph virus infected file is loaded by Instruction set simulator;The Polymorph virus infected file is performed by the Instruction set simulator, and obtains the Instruction set simulator described in execution The instruction set generated during Polymorph virus infected file;AndBy preset instructions feature compared with the instruction in the instruction set, to obtain decrypted positions;Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;It is described to specifically include preset instructions feature to obtain decrypted positions compared with the instruction in the instruction set:If the instruction in the instruction set is identical with the preset instructions feature, obtain identical with the preset instructions feature Instruction corresponding to position, and using the position as decrypted positions.
- 2. the analysis method of Polymorph virus as claimed in claim 1, it is characterised in that after the acquisition decrypted positions, Also include:Obtain and instructed corresponding to the decrypted positions;Obtain the state for performing register in Instruction set simulator when being instructed corresponding to the decrypted positions;Decruption key is generated according to the state of register in the Instruction set simulator.
- 3. the analysis method of Polymorph virus as claimed in claim 1, it is characterised in that described that institute is loaded by Instruction set simulator Polymorph virus infected file is stated to specifically include:Read the file content of the Polymorph virus infected file;AndThe file content of the Polymorph virus infected file read is transmitted to the Instruction set simulator.
- A kind of 4. analytical equipment of Polymorph virus, it is characterised in that including:Sample acquisition module is infected, the infection sample acquisition module is used to infect file destination by Polymorph virus, and will obtain The infected file taken is as Polymorph virus infected file;Instruction set simulator, the Instruction set simulator is used to load the Polymorph virus infected file, and performs the Polymorph virus Infected file;AndInstruction analysis module, the instruction analysis module are used to obtain the Instruction set simulator in the execution Polymorph virus infection The instruction set generated during file, and by preset instructions feature compared with the instruction in the instruction set, to obtain decryption Position;Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;Wherein, if the instruction in the instruction set is identical with the preset instructions feature, the instruction analysis module obtains With the corresponding position of preset instructions feature identical instruction, and using the position as decrypted positions.
- 5. the analytical equipment of Polymorph virus as claimed in claim 4, it is characterised in that the instruction analysis module specifically wraps Include:Instruction set acquisition submodule, the instruction set acquisition submodule are described polymorphic in execution for obtaining the Instruction set simulator The instruction set generated during viral infected file;AndComparison sub-module, the comparison sub-module are used for by preset instructions feature compared with the instruction in the instruction set, To obtain decrypted positions.
- 6. the analytical equipment of Polymorph virus as claimed in claim 4, it is characterised in that the instruction analysis module also includes:Acquisition submodule is instructed, the instruction acquisition submodule, which is used to obtain corresponding to the decrypted positions, to be instructed;Buffer status acquisition submodule, it is corresponding that the buffer status acquisition submodule is used for the acquisition execution decrypted positions Instruction when the Instruction set simulator in register state;AndDecruption key generates submodule, and the decruption key generation submodule is used for according to register in the Instruction set simulator State generates decruption key.
- 7. the analytical equipment of Polymorph virus as claimed in claim 4, it is characterised in that also include:Pretreatment module, the pretreatment module is used for the file content for reading the Polymorph virus infected file, and will read To the file content of the Polymorph virus infected file transmit to the Instruction set simulator.
- A kind of 8. treatment method of virus, it is characterised in that including:Obtain Polymorph virus infected file;The Polymorph virus infected file is loaded by Instruction set simulator;The Polymorph virus infected file is performed by the Instruction set simulator, and obtains the Instruction set simulator described in execution The instruction set generated during Polymorph virus infected file;By preset instructions feature compared with the instruction in the instruction set, to obtain decrypted positions;And according to the solution Mil, which is put, repairs the Polymorph virus infected file;Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;It is described to specifically include preset instructions feature to obtain decrypted positions compared with the instruction in the instruction set:If the instruction in the instruction set is identical with the preset instructions feature, obtain identical with the preset instructions feature Instruction corresponding to position, and using the position as decrypted positions.
- 9. treatment method of virus as claimed in claim 8, it is characterised in that after the acquisition decrypted positions, in addition to:Obtain and instructed corresponding to the decrypted positions;Obtain the state for performing register in Instruction set simulator when being instructed corresponding to the decrypted positions;Decruption key is generated according to the state of register in the Instruction set simulator.
- 10. treatment method of virus as claimed in claim 8, it is characterised in that it is described loaded by Instruction set simulator it is described more State virus infected file specifically includes:Read the file content of the Polymorph virus infected file;AndThe file content of the Polymorph virus infected file read is transmitted to the Instruction set simulator.
- 11. treatment method of virus as claimed in claim 8, it is characterised in that described according to repairing the decrypted positions Polymorph virus infected file specifically includes:Held by the Instruction set simulator to being infected code corresponding to decrypted positions described in the Polymorph virus infected file Row decruption key is to obtain normal code corresponding to the infected code of the Polymorph virus infected file;Polymorph virus infected file and the normal code are sent to cleaning engine;AndBy the cleaning engine using the normal code reparation in the decrypted positions, and remove the Polymorph virus infection The viral code of file.
- A kind of 12. virus treated device, it is characterised in that including:Infect sample acquisition module, Instruction set simulator, instruction analysis Module and cleaning engine, wherein,The infection sample acquisition module, for infecting file destination by Polymorph virus, and will obtain infected file as Polymorph virus infected file;The Instruction set simulator, for loading the Polymorph virus infected file, and perform the Polymorph virus infected file;The instruction analysis module, generated for obtaining the Instruction set simulator when performing the Polymorph virus infected file Instruction set, and by preset instructions feature compared with the instruction in the instruction set, to obtain decrypted positions;AndThe cleaning engine, for repairing the Polymorph virus infected file according to the decrypted positions;Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;Wherein, if the instruction in the instruction set is identical with the preset instructions feature, the instruction analysis module obtains With the corresponding position of preset instructions feature identical instruction, and using the position as decrypted positions.
- 13. virus treated device as claimed in claim 12, it is characterised in that the instruction analysis module specifically includes:Instruction set acquisition submodule, the instruction set acquisition submodule are described polymorphic in execution for obtaining the Instruction set simulator The instruction set generated during viral infected file;AndComparison sub-module, the comparison sub-module are used for by preset instructions feature compared with the instruction in the instruction set, To obtain decrypted positions.
- 14. virus treated device as claimed in claim 12, it is characterised in that the instruction analysis module also includes:Acquisition submodule is instructed, the instruction acquisition submodule, which is used to obtain corresponding to the decrypted positions, to be instructed;Buffer status acquisition submodule, it is corresponding that the buffer status acquisition submodule is used for the acquisition execution decrypted positions Instruction when the Instruction set simulator in register state;AndDecruption key generates submodule, and the decruption key generation submodule is used for according to register in the Instruction set simulator State generates decruption key.
- 15. virus treated device as claimed in claim 12, it is characterised in that also include:Pretreatment module, the pretreatment module is used for the file content for reading the Polymorph virus infected file, and will read To the file content of the Polymorph virus infected file transmit to the Instruction set simulator.
- 16. virus treated device as claimed in claim 12, it is characterised in that the Instruction set simulator also includes:Sample read module, the sample read module are used for the file content for reading the Polymorph virus infected file;AndSample execution module, the sample execution module is used for the file content for receiving the Polymorph virus infected file, and holds The file content of the row Polymorph virus infected file, and decruption key is performed to obtain the infected portion of the file destination Normal code corresponding to point.
- 17. virus treated device as claimed in claim 12, it is characterised in that the cleaning engine specifically includes:Information receiving module, described information receiving module are used to receive the Polymorph virus infected file and normal code;Code replacement module, the code replacement module are used for the infected part that the file destination is replaced by normal code Code;AndViral cleaning modul, the viral cleaning modul are used to remove the viral code being replaced.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410281375.XA CN104077526B (en) | 2014-06-20 | 2014-06-20 | The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410281375.XA CN104077526B (en) | 2014-06-20 | 2014-06-20 | The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104077526A CN104077526A (en) | 2014-10-01 |
CN104077526B true CN104077526B (en) | 2018-03-06 |
Family
ID=51598776
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410281375.XA Active CN104077526B (en) | 2014-06-20 | 2014-06-20 | The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104077526B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107038375A (en) * | 2017-03-22 | 2017-08-11 | 国家计算机网络与信息安全管理中心 | A kind of decryption method and system for obtaining infected host program |
CN107231360A (en) * | 2017-06-08 | 2017-10-03 | 上海斐讯数据通信技术有限公司 | Network virus protection method, safe wireless router and system based on cloud network |
WO2019071513A1 (en) * | 2017-10-12 | 2019-04-18 | 深圳传音通讯有限公司 | Data encryption method and data encryption system for intelligent terminal |
CN112784270A (en) * | 2021-01-18 | 2021-05-11 | 仙境文化传媒(武汉)有限公司 | System and method for loading code file by annotation mode |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102867144A (en) * | 2012-09-06 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer viruses |
CN102985928A (en) * | 2010-07-13 | 2013-03-20 | F-赛酷公司 | Identifying polymorphic malware |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB0513375D0 (en) * | 2005-06-30 | 2005-08-03 | Retento Ltd | Computer security |
-
2014
- 2014-06-20 CN CN201410281375.XA patent/CN104077526B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102985928A (en) * | 2010-07-13 | 2013-03-20 | F-赛酷公司 | Identifying polymorphic malware |
CN102867144A (en) * | 2012-09-06 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer viruses |
Also Published As
Publication number | Publication date |
---|---|
CN104077526A (en) | 2014-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104077526B (en) | The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus | |
CN104463002B (en) | A kind of method and apparatus of reinforcing APK and APK reinforce client and server | |
CN104539432B (en) | A kind of method and apparatus that file is signed | |
Papagiannopoulos et al. | Mind the gap: Towards secure 1st-order masking in software | |
KR101603751B1 (en) | Instruction word compression apparatus and method for instruction level parallelism computer | |
Williams et al. | Security through diversity: Leveraging virtual machine technology | |
WO2016094840A2 (en) | System, method & computer readable medium for software protection via composable process-level virtual machines | |
WO2009100249A3 (en) | Trusted field-programmable logic circuitry | |
CN104866734B (en) | A kind of guard method of DEX file and device | |
JP2009116847A (en) | Device and method for inspecting software for vulnerabilities | |
US20170323098A1 (en) | Information assurance system for secure program execution | |
Rahimian et al. | On the reverse engineering of the citadel botnet | |
DE602006017387D1 (en) | SYSTEM AND METHOD FOR PROCESSING SAFE TRANSMISSIONS | |
GB2483575A (en) | Method and apparatus for performing a shift and exclusive or operation in a single instruction | |
CN104573427B (en) | Method and apparatus are obscured in a kind of executable application | |
CN105074712A (en) | Code processing device and program | |
US20150169881A1 (en) | Method And Apparatus For Providing String Encryption And Decryption In Program Files | |
CN104573426B (en) | Method and apparatus are obscured in a kind of executable application | |
Follner et al. | Analyzing the gadgets: towards a metric to measure gadget quality | |
JP5941859B2 (en) | Verification device, verification method, and program | |
CN110147653A (en) | Application security reinforcement means and device | |
CN107368713B (en) | Protect the method and security component of software | |
CN104680043B (en) | A kind of guard method of executable file and device | |
CN106650337A (en) | Method and device for processing script file in installation package | |
US20130219501A1 (en) | Malicious code real-time inspecting device in a drm environment and recording medium for recording a program to execute a method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20181210 Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Seal Interest Technology Co., Ltd. Address before: 519070, six level 601F, 10 main building, science and technology road, Tangjia Bay Town, Zhuhai, Guangdong. Patentee before: Zhuhai Juntian Electronic Technology Co.,Ltd. |