CN104077526B - The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus - Google Patents

The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus Download PDF

Info

Publication number
CN104077526B
CN104077526B CN201410281375.XA CN201410281375A CN104077526B CN 104077526 B CN104077526 B CN 104077526B CN 201410281375 A CN201410281375 A CN 201410281375A CN 104077526 B CN104077526 B CN 104077526B
Authority
CN
China
Prior art keywords
polymorph
virus
instruction set
instruction
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410281375.XA
Other languages
Chinese (zh)
Other versions
CN104077526A (en
Inventor
薛小昊
姚辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Seal Interest Technology Co Ltd
Original Assignee
Zhuhai Juntian Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Juntian Electronic Technology Co Ltd filed Critical Zhuhai Juntian Electronic Technology Co Ltd
Priority to CN201410281375.XA priority Critical patent/CN104077526B/en
Publication of CN104077526A publication Critical patent/CN104077526A/en
Application granted granted Critical
Publication of CN104077526B publication Critical patent/CN104077526B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of analysis method of Polymorph virus and analytical equipment and treatment method of virus and processing unit, the analysis method of the Polymorph virus includes:File destination is infected by Polymorph virus, and infected file will be obtained as Polymorph virus infected file;Polymorph virus infected file is loaded by Instruction set simulator;Polymorph virus infected file is performed by Instruction set simulator, and obtains the instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;And by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.The analysis method of the Polymorph virus simplifies the processing method of polymorphic infection type virus, reduces the workload for analyzing polymorphic infection type virus, improves analysis efficiency.

Description

The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus
Technical field
The present invention relates to field of computer technology, the analysis method and analytical equipment and disease of more particularly to a kind of Polymorph virus Malicious processing method and processing unit.
Background technology
With the development of computer technology, the species of computer virus is also more and more.Polymorphic infection type virus is a kind of More complicated File Infector Virus, normal file can be infected into virus document.Due to polymorphic infection type virus make use of it is polymorphic Engine, therefore during polymorphic infection type virus infection normal file, each polymorphic infection type virus is entered to normal file The form of the code of row infection is all different.
At present, on polymorphic infection type virus, go to identify any AES using static treatment mode, be required for Larger workload, and the scope that can be used by the key acquired in static treatment mode or encrypted location is often Less, all AESs of polymorphic infection type virus can not be handled.Therefore, existing static treatment mode can not be answered effectively In the processing procedure of polymorphic infection type virus, the processing method of polymorphic infection type virus is often complex, workload compared with Greatly.
The content of the invention
It is contemplated that at least solves one of above-mentioned technical problem of the prior art to a certain extent.
Therefore, it is an object of the present invention to propose it is a kind of have processing method is simple, workload is small the advantages of it is more The analysis method and analytical equipment of state virus, and treatment method of virus and processing unit.
The first aspect of the embodiment of the present invention proposes a kind of analysis method of Polymorph virus, including:Pass through Polymorph virus sense File destination is contaminated, and infected file will be obtained as Polymorph virus infected file;Polymorph virus is loaded by Instruction set simulator Infected file;Polymorph virus infected file is performed by Instruction set simulator, and obtains Instruction set simulator and is performing Polymorph virus sense Contaminate the instruction set generated during file;And by preset instructions feature compared with the instruction in instruction set, to obtain decryption Position.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file, so as to obtain Polymorph virus infected file Decrypted positions, therefore without carrying out manual analysis to Polymorph virus infection sample, so as to simplify the place of polymorphic infection type virus Reason method, the workload for analyzing polymorphic infection type virus is reduced, improves operating efficiency.
In one particular embodiment of the present invention, after decrypted positions are obtained, the analysis method of Polymorph virus is also wrapped Include:Obtain and instructed corresponding to decrypted positions;Obtain the shape for performing register in Instruction set simulator when being instructed corresponding to decrypted positions State;And decruption key is generated according to the state of register in Instruction set simulator.
In one particular embodiment of the present invention, by preset instructions feature compared with the instruction in instruction set to obtain Decrypted positions are taken to specifically include:If the instruction in instruction set is identical with preset instructions feature, obtain and preset instructions feature Position corresponding to identical instruction, and using position as decrypted positions.
In a preferred embodiment of the invention, Polymorph virus infected file is loaded by Instruction set simulator specifically to wrap Include:Read the file content of Polymorph virus infected file;And the file content of the Polymorph virus infected file read is passed Transport to Instruction set simulator.
The second aspect of the embodiment of the present invention proposes a kind of analytical equipment of Polymorph virus, including:Infect sample acquisition mould Block, infection sample acquisition module is used to infect file destination by Polymorph virus, and will obtain infected file as polymorphic disease Malicious infected file;Instruction set simulator, Instruction set simulator are used to load Polymorph virus infected file, and perform Polymorph virus infection text Part;And instruction analysis module, instruction analysis module are used to obtain Instruction set simulator in execution Polymorph virus infected file when institute The instruction set of generation, and by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file.So that the decryption of Polymorph virus infected file Position can be obtained automatically by the dynamic analysis of instruction analysis module, without carrying out people's work point to Polymorph virus infection sample Analysis, so as to simplify the processing method of polymorphic infection type virus, reduce the workload for analyzing polymorphic infection type virus.
In one particular embodiment of the present invention, instruction analysis module specifically includes:Instruction set acquisition submodule, instruction Collection acquisition submodule is used to obtain the instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;And compare Submodule, comparison sub-module are used for the finger in preset instructions feature and instruction set
In one particular embodiment of the present invention, instruction analysis module also includes:Acquisition submodule is instructed, instruction obtains Submodule, which is used to obtain corresponding to decrypted positions, to be instructed;Buffer status acquisition submodule, buffer status acquisition submodule are used In obtain perform decrypted positions corresponding to instruction when Instruction set simulator in register state;And decruption key generation submodule Block, decruption key generation submodule are used to generate decruption key according to the state of register in Instruction set simulator.
In a preferred embodiment of the invention, if the instruction in instruction set is identical with preset instructions feature, refer to Analysis module acquisition and the corresponding position of preset instructions feature identical instruction are made, and using position as decrypted positions.
In one particular embodiment of the present invention, the analytical equipment of Polymorph virus also includes:Pretreatment module, pretreatment Module is used to reading the file content of Polymorph virus infected file, and by the file content of the Polymorph virus infected file read Transmit to Instruction set simulator.
The third aspect of the embodiment of the present invention proposes a kind for the treatment of method of virus, including:Obtain Polymorph virus infected file; Polymorph virus infected file is loaded by Instruction set simulator;Polymorph virus infected file is performed by Instruction set simulator, and obtained The instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;By the finger in preset instructions feature and instruction set Order is compared, to obtain decrypted positions;And repair Polymorph virus infected file according to decrypted positions.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file, so as to obtain Polymorph virus infected file Decrypted positions, therefore without carrying out manual analysis to Polymorph virus infection sample, so as to simplify the place of polymorphic infection type virus Reason method.
In a preferred embodiment of the invention, after decrypted positions are obtained, treatment method of virus also includes:Obtain Instructed corresponding to decrypted positions;Obtain the state for performing register in Instruction set simulator when being instructed corresponding to decrypted positions;And Decruption key is generated according to the state of register in Instruction set simulator.
In one particular embodiment of the present invention, by preset instructions feature compared with the instruction in instruction set to obtain Decrypted positions are taken to specifically include:If the instruction in instruction set is identical with preset instructions feature, obtain and preset instructions feature Position corresponding to identical instruction, and using position as decrypted positions.
In a preferred embodiment of the invention, Polymorph virus infected file is loaded by Instruction set simulator specifically to wrap Include:Read the file content of Polymorph virus infected file;And the file content of the Polymorph virus infected file read is passed Transport to Instruction set simulator.
In one particular embodiment of the present invention, Polymorph virus infected file is repaired according to decrypted positions to specifically include: Decruption key is performed to obtain to being infected code corresponding to decrypted positions in Polymorph virus infected file by Instruction set simulator Normal code corresponding to the infected code of Polymorph virus infected file;By Polymorph virus infected file and normal code send to Clear up engine;And by clearing up engine using normal code reparation in decrypted positions, and remove Polymorph virus infected file Viral code.
Embodiments of the invention fourth aspect proposes a kind of virus treated device, including:Infect sample acquisition module, instruction Emulator, instruction analysis module and cleaning engine, wherein, sample acquisition module is infected, for infecting target by Polymorph virus File, and infected file will be obtained as Polymorph virus infected file;Instruction set simulator, for loading Polymorph virus infection text Part, and perform polymorphic infection sample;Instruction analysis module, for obtaining Instruction set simulator when performing Polymorph virus infected file The instruction set generated, and by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions;It is and clear Engine is managed, for repairing Polymorph virus infected file according to decrypted positions.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file.So that the decryption of Polymorph virus infected file Position can be obtained automatically by the dynamic analysis of instruction analysis module, without carrying out people's work point to Polymorph virus infection sample Analysis, so as to simplify the processing method of polymorphic infection type virus.
In a preferred embodiment of the invention, instruction analysis module specifically includes:Instruction set acquisition submodule, instruction Collection acquisition submodule is used to obtain the instruction set that Instruction set simulator is generated when performing Polymorph virus infected file;And compare Submodule, comparison sub-module are used for by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.
In a preferred embodiment of the invention, instruction analysis module also includes:Acquisition submodule is instructed, instruction obtains Submodule, which is used to obtain corresponding to decrypted positions, to be instructed;Buffer status acquisition submodule, buffer status acquisition submodule are used In obtain perform decrypted positions corresponding to instruction when Instruction set simulator in register state;And decruption key generation submodule Block, decruption key generation submodule are used to generate decruption key according to the state of register in Instruction set simulator.
In one particular embodiment of the present invention, if the instruction in instruction set is identical with preset instructions feature, refer to Analysis module acquisition and the corresponding position of preset instructions feature identical instruction are made, and using position as decrypted positions.
In one particular embodiment of the present invention, Instruction set simulator also includes:Sample read module, sample read module Transmitted for reading the file content of Polymorph virus infected file, and by the file content of the Polymorph virus infected file read To Instruction set simulator;And sample execution module, sample execution module are used for the file content for receiving Polymorph virus infected file, And the file content of Polymorph virus infected file is performed, and execution decruption key is right to obtain the infected part of file destination The normal code answered.
In a preferred embodiment of the invention, cleaning engine specifically includes:Information receiving module, information receiving module For receiving Polymorph virus infected file and normal code;Code replacement module, code replacement module are used to pass through normal code Replace the code of the infected part of file destination;And viral cleaning modul, viral cleaning modul are used for the disease that will be replaced Malicious code is removed.
Brief description of the drawings
Fig. 1 is the flow chart of the analysis method of Polymorph virus according to embodiments of the present invention;
Fig. 2 is the structural representation of the analytical equipment of Polymorph virus according to embodiments of the present invention;
Fig. 3 is the structural representation of virus treated device according to embodiments of the present invention;
Fig. 4 is the flow chart for the treatment of method of virus according to embodiments of the present invention;
Fig. 5 is the schematic flow sheet of the Polymorph virus analysis of virus treated device according to embodiments of the present invention;And
Fig. 6 is that the cleaning engine of virus treated device according to embodiments of the present invention repairs the stream of Polymorph virus infected file Journey schematic diagram.
Embodiment
Embodiments of the invention are described below in detail, the example of embodiment is shown in the drawings, wherein identical from beginning to end Or similar label represents same or similar element or the element with same or like function.Retouched below with reference to accompanying drawing The embodiment stated is exemplary, it is intended to for explaining the present invention, and is not considered as limiting the invention.
In the description of the invention, " multiple " are meant that two or more, unless otherwise specifically defined. In addition, for the ordinary skill in the art, the tool of above-mentioned term in the present invention can be understood as the case may be Body implication.
The analysis method and analytical equipment of the Polymorph virus that it is proposed according to embodiments of the present invention described with reference to the accompanying drawings And treatment method of virus and processing unit.
Fig. 1 is the flow chart of the analysis method of Polymorph virus according to embodiments of the present invention.
As shown in figure 1, in one embodiment of the invention, the analysis method of Polymorph virus, including:
S101, file destination is infected by Polymorph virus, and infected file will be obtained as Polymorph virus infected file. In this embodiment of the invention, open and read detected Polymorph virus, file destination is carried out using the Polymorph virus Infection, and then analysable Portable executable file (i.e. Portable Executable files, abbreviation PE files) is obtained, That is Polymorph virus infected file.
S102, Polymorph virus infected file is loaded by Instruction set simulator.In one particular embodiment of the present invention, lead to Instruction set simulator loading Polymorph virus infected file is crossed to specifically include:The file content of Polymorph virus infected file is read, and will The file content of the Polymorph virus infected file read is transmitted to Instruction set simulator.
S103, Polymorph virus infected file is performed by Instruction set simulator, and obtain Instruction set simulator and performing polymorphic disease The instruction set generated during malicious infected file.Specifically, in the file that Instruction set simulator receives Polymorph virus infected file After appearance, Instruction set simulator can parse Polymorph virus infected file and simulate the code for performing the Polymorph virus infected file.
S104, by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.Wherein, it is viral Encrypted location and repair Polymorph virus infected file decrypted positions be identical, all in the Polymorph virus infected file. Specifically, if the instruction in instruction set is identical with preset instructions feature, obtain and instructed with preset instructions feature identical Corresponding position, and using the position as decrypted positions.
Specifically, in one particular embodiment of the present invention, because the decrypted code of Polymorph virus is polymorphic form, and Decipherment algorithm corresponding to the Polymorph virus is random.Therefore, after parsing and performing Polymorph virus infected file, will preset Instruction features judge required solution confidential information compared with the instruction in instruction set, for example, Polymorph virus infection text Part is characterized in identical after decryption function has been run.Specifically, the decrypting process of the Polymorph virus infected file is last Code is fixed can to extract feature.Therefore, the decrypted positions of the Polymorph virus infected file can be obtained, and obtains and holds The state of each register during the row Polymorph virus infected file, so as to obtain solution confidential information.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file, so as to obtain Polymorph virus infected file Decrypted positions can be obtained automatically by the dynamic analysis of instruction analysis module, therefore without being carried out to Polymorph virus infection sample Manual analysis, so as to simplify the processing method of polymorphic infection type virus, the workload for analyzing polymorphic infection type virus is reduced, Improve operating efficiency.
In addition, in one particular embodiment of the present invention, after decrypted positions are obtained, the analysis side of the Polymorph virus Method also includes:Obtain and instructed corresponding to decrypted positions;Obtain to perform and deposited when being instructed corresponding to decrypted positions in Instruction set simulator The state of device;And decruption key is generated according to the state of register in Instruction set simulator.
In an embodiment of the present invention, the loading and execution of Polymorph virus infected file are carried out by Instruction set simulator, is obtained The instruction set that instruction fetch emulator is generated when performing Polymorph virus infected file.So that the decryption of Polymorph virus infected file Position can be obtained automatically by the dynamic analysis of instruction analysis module, without carrying out people's work point to Polymorph virus infection sample Analysis, so as to simplify the processing method of polymorphic infection type virus, reduce the workload for analyzing polymorphic infection type virus.
Fig. 2 is the structural representation of the analytical equipment of Polymorph virus according to embodiments of the present invention.
As shown in Fig. 2 in one particular embodiment of the present invention, the analytical equipment of Polymorph virus includes:Infect sample Acquisition module 10, pretreatment module 20, Instruction set simulator 30 and instruction analysis module 40.Wherein, sample acquisition module 10 is infected For infecting file destination a by Polymorph virus, and infected file will be obtained as Polymorph virus infected file b.Pretreatment Module 20 is used to reading Polymorph virus infected file b file content, and by the Polymorph virus infected file b read file Content transmission is to Instruction set simulator 30.Instruction set simulator 30 is used to load Polymorph virus infected file b, and performs polymorphic infection text Part b.Instruction analysis module 40 is used to obtain the instruction set that Instruction set simulator 30 is generated when performing Polymorph virus infected file b C, and by preset instructions feature compared with the instruction in instruction set c, to obtain decrypted positions d.
As shown in Fig. 2 in a preferred embodiment of the invention, Instruction set simulator 30 specifically includes:Sample reads mould Block 301 and sample execution module 302.Wherein, the sample read module 301 is used for the text for reading Polymorph virus infected file b Part content.Sample execution module 302 is used for the file content for receiving Polymorph virus infected file b, and performs Polymorph virus infection File b file content, and decruption key f is performed to obtain normal code corresponding to file destination a infected part.
In an embodiment of the present invention, because Polymorph virus infected file b decrypted positions are unfixed, therefore use Decipherment algorithm be different, and can not be repaired by common Static Analysis Method or by general algorithm, can only It is decrypted using Polymorph virus infected file b running.
As shown in Fig. 2 in one particular embodiment of the present invention, instruction analysis module 40 specifically includes:Instruction set obtains Take submodule 401, comparison sub-module 402, instruction acquisition submodule 403, buffer status acquisition submodule 404 and decryption close Key generates submodule 405.Wherein, instruction set acquisition submodule 401 is used to obtain Instruction set simulator 30 in execution Polymorph virus sense Contaminate the instruction set c generated during file b.Comparison sub-module 402 is used to carry out the instruction in preset instructions feature and instruction set c Compare, to obtain decrypted positions d.Instruction acquisition submodule 403, which is used to obtain corresponding to decrypted positions d, to be instructed.Buffer status Acquisition submodule 404 is used to obtain the state e for performing register in Instruction set simulator 30 when instructing corresponding to decrypted positions d.Solution Key generation submodule 405 is used to generate decruption key f according to the state e of register in Instruction set simulator 30.Due to instruction Emulator 30 can be with load operating Polymorph virus infected file b, and calculating simulation every needs the instruction that performs, so polymorphic The state e of each register of Instruction set simulator 30 when viral infected file b each instruction and execute instruction all may be used To obtain.Meanwhile during Instruction set simulator 30 performs Polymorph virus infected file b, it can dynamically decrypt and perform and added Close file destination a.
Preferably, in one embodiment of the invention, if the instruction in instruction set c is identical with preset instructions feature, The then acquisition of instruction analysis module 401 and the corresponding position of preset instructions feature identical instruction, and using position as decrypted positions d。
Fig. 3 is the structural representation of virus treated device according to embodiments of the present invention.
As shown in figure 3, in one particular embodiment of the present invention, virus treated device includes:Infect sample acquisition mould Block 10, pretreatment module 20, Instruction set simulator 30, instruction analysis module 40 and cleaning engine 50.Wherein, sample acquisition mould is infected Block 10 is used to infect file destination a by Polymorph virus, and will obtain infected file as Polymorph virus infected file b.In advance Processing module 20 is used for the file content for reading Polymorph virus infected file b, and by the Polymorph virus infected file b's read File content is transmitted to Instruction set simulator 30.Instruction set simulator 30 is used to load Polymorph virus infected file b, and performs polymorphic sense Contaminate file b.Instruction analysis module 40 is used to obtain the finger that Instruction set simulator 30 is generated when performing Polymorph virus infected file b Order collection c, and by preset instructions feature compared with the instruction in instruction set c, to obtain decrypted positions d.Cleaning engine 50 is used According to decrypted positions d.
As shown in figure 3, in a preferred embodiment of the invention, Instruction set simulator 30 specifically includes:Sample reads mould Block 301 and sample execution module 302.Wherein, the sample read module 301 is used for the text for reading Polymorph virus infected file b Part content.Sample execution module 302 is used for the file content for receiving Polymorph virus infected file b, and performs Polymorph virus infection File b file content, and decruption key f is performed to obtain normal code corresponding to file destination a infected part.
As shown in figure 3, in one particular embodiment of the present invention, instruction analysis module 40 specifically includes:Instruction set obtains Take submodule 401, comparison sub-module 402, instruction acquisition submodule 403, buffer status acquisition submodule 404 and decryption close Key generates submodule 405.Wherein, instruction set acquisition submodule 401 is used to obtain Instruction set simulator 30 in execution Polymorph virus sense Contaminate the instruction set c generated during file b.Comparison sub-module 402 is used to carry out the instruction in preset instructions feature and instruction set c Compare, to obtain decrypted positions d.Instruction acquisition submodule 403, which is used to obtain corresponding to decrypted positions d, to be instructed.Buffer status Acquisition submodule 404 is used to obtain the state e for performing register in Instruction set simulator 30 when instructing corresponding to decrypted positions d.Solution Key generation submodule 405 is used to generate decruption key f according to the state e of register in Instruction set simulator 30.
As shown in figure 3, in one embodiment of the invention, cleaning engine, which has 50 bodies, to be included:Information receiving module 501, Code replacement module 502 and viral cleaning modul 503.In this embodiment of the invention, information receiving module 501 is used to connect Receive Polymorph virus infected file b and normal code g.Code replacement module 502 is used to replace file destination a by normal code g Infected part code.Viral cleaning modul 503 is used to remove the viral code being replaced.
Preferably, in one embodiment of the invention, if the instruction in instruction set c is identical with preset instructions feature, The then acquisition of instruction analysis module 401 and the corresponding position of preset instructions feature identical instruction, and using position as decrypted positions d。
Fig. 4 is the flow chart for the treatment of method of virus according to embodiments of the present invention.
As shown in figure 4, in one particular embodiment of the present invention, treatment method of virus includes:
S201, obtain Polymorph virus infected file.
S202, Polymorph virus infected file is loaded by Instruction set simulator.In this embodiment of the invention, S202 is specific Including:Read the file content of Polymorph virus infected file;And the file content by the Polymorph virus infected file read Transmit to Instruction set simulator.
S203, Polymorph virus infected file is performed by Instruction set simulator, and obtain Instruction set simulator and performing polymorphic disease The instruction set generated during malicious infected file.
S204, by preset instructions feature compared with the instruction in instruction set, to obtain decrypted positions.The present invention's In the embodiment, if the instruction in instruction set is identical with preset instructions feature, acquisition refers to preset instructions feature identical Position corresponding to order, and using position as decrypted positions.In addition, in the present embodiment, after decrypted positions are obtained, the virus Processing method also includes:Obtain and instructed corresponding to decrypted positions;Obtain and perform Instruction set simulator when being instructed corresponding to decrypted positions The state of middle register;Decruption key is generated according to the state of register in Instruction set simulator.
S205, Polymorph virus infected file is repaired according to decrypted positions.In this embodiment of the invention, S205 is specifically wrapped Include:Decruption key is performed to obtain to being infected code corresponding to decrypted positions in Polymorph virus infected file by Instruction set simulator Take normal code corresponding to the infected code of Polymorph virus infected file;Polymorph virus infected file and normal code are sent To cleaning engine;And by clearing up engine using normal code reparation in decrypted positions, and remove Polymorph virus infected file Viral code.
Fig. 5 is the schematic flow sheet of the Polymorph virus analysis of virus treated device according to embodiments of the present invention, and Fig. 6 is root The schematic flow sheet of Polymorph virus infected file is repaired according to the cleaning engine of the virus treated device of the embodiment of the present invention.
As shown in Figure 5 and Figure 6, in one particular embodiment of the present invention, obtain Polymorph virus infected file b it Afterwards, Polymorph virus infected file b is transferred to Instruction set simulator 30.Then the polymorphic disease is performed by the Instruction set simulator 30 Malicious infected file b, and obtain the instruction set c that the Instruction set simulator 30 is generated when performing Polymorph virus infected file b.Root Decrypted positions d is obtained according to instruction set c, the associated decryption information such as decruption key are obtained according to decrypted positions d.Finally will be polymorphic Viral infected file b gives cleaning engine 50 with the decryption information transmission obtained in execution emulator 30.Clearing up engine 50 will decrypt The position corresponding to of normal code reparation out, and remaining viral code is removed, and then repaired Polymorph virus infection File b.Specifically, although polymorphic virus infection file b decipherment algorithm and position are not fixed, polymorphic infection disease Malicious file b implementation procedure is detectable.Because the code of implementation procedure is single, even in polymorphic virus infection file Rubbish instruction is with the addition of in b to be obscured, and still the process can be detected by instruction analysis module 40.In polymorphic infection disease In malicious file b implementation procedure, the position of infected normal code, and the method by detecting instruction features are detected, is obtained Get the code position and length after being infected.Normal code is copied into normal code using the code position and length to correspond to Infected position, so as to repair file destination a.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or the spy for combining the embodiment or example description Point is contained at least one embodiment or example of the present invention.In this manual, to the schematic representation of above-mentioned term not Identical embodiment or example must be directed to.Moreover, specific features, structure, material or the feature of description can be with office What combined in an appropriate manner in one or more embodiments or example.In addition, those skilled in the art can say this Different embodiments or example described in bright book are engaged and combined.
Although embodiments of the invention have been shown and described above, it is to be understood that above-described embodiment is example Property, it is impossible to limitation of the present invention is interpreted as, one of ordinary skill in the art within the scope of the invention can be to above-mentioned Embodiment is changed, changed, replacing and modification.

Claims (17)

  1. A kind of 1. analysis method of Polymorph virus, it is characterised in that including:
    File destination is infected by Polymorph virus, and infected file will be obtained as Polymorph virus infected file;
    The Polymorph virus infected file is loaded by Instruction set simulator;
    The Polymorph virus infected file is performed by the Instruction set simulator, and obtains the Instruction set simulator described in execution The instruction set generated during Polymorph virus infected file;And
    By preset instructions feature compared with the instruction in the instruction set, to obtain decrypted positions;
    Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;
    It is described to specifically include preset instructions feature to obtain decrypted positions compared with the instruction in the instruction set:
    If the instruction in the instruction set is identical with the preset instructions feature, obtain identical with the preset instructions feature Instruction corresponding to position, and using the position as decrypted positions.
  2. 2. the analysis method of Polymorph virus as claimed in claim 1, it is characterised in that after the acquisition decrypted positions, Also include:
    Obtain and instructed corresponding to the decrypted positions;
    Obtain the state for performing register in Instruction set simulator when being instructed corresponding to the decrypted positions;
    Decruption key is generated according to the state of register in the Instruction set simulator.
  3. 3. the analysis method of Polymorph virus as claimed in claim 1, it is characterised in that described that institute is loaded by Instruction set simulator Polymorph virus infected file is stated to specifically include:
    Read the file content of the Polymorph virus infected file;And
    The file content of the Polymorph virus infected file read is transmitted to the Instruction set simulator.
  4. A kind of 4. analytical equipment of Polymorph virus, it is characterised in that including:
    Sample acquisition module is infected, the infection sample acquisition module is used to infect file destination by Polymorph virus, and will obtain The infected file taken is as Polymorph virus infected file;
    Instruction set simulator, the Instruction set simulator is used to load the Polymorph virus infected file, and performs the Polymorph virus Infected file;And
    Instruction analysis module, the instruction analysis module are used to obtain the Instruction set simulator in the execution Polymorph virus infection The instruction set generated during file, and by preset instructions feature compared with the instruction in the instruction set, to obtain decryption Position;
    Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;
    Wherein, if the instruction in the instruction set is identical with the preset instructions feature, the instruction analysis module obtains With the corresponding position of preset instructions feature identical instruction, and using the position as decrypted positions.
  5. 5. the analytical equipment of Polymorph virus as claimed in claim 4, it is characterised in that the instruction analysis module specifically wraps Include:
    Instruction set acquisition submodule, the instruction set acquisition submodule are described polymorphic in execution for obtaining the Instruction set simulator The instruction set generated during viral infected file;And
    Comparison sub-module, the comparison sub-module are used for by preset instructions feature compared with the instruction in the instruction set, To obtain decrypted positions.
  6. 6. the analytical equipment of Polymorph virus as claimed in claim 4, it is characterised in that the instruction analysis module also includes:
    Acquisition submodule is instructed, the instruction acquisition submodule, which is used to obtain corresponding to the decrypted positions, to be instructed;
    Buffer status acquisition submodule, it is corresponding that the buffer status acquisition submodule is used for the acquisition execution decrypted positions Instruction when the Instruction set simulator in register state;And
    Decruption key generates submodule, and the decruption key generation submodule is used for according to register in the Instruction set simulator State generates decruption key.
  7. 7. the analytical equipment of Polymorph virus as claimed in claim 4, it is characterised in that also include:
    Pretreatment module, the pretreatment module is used for the file content for reading the Polymorph virus infected file, and will read To the file content of the Polymorph virus infected file transmit to the Instruction set simulator.
  8. A kind of 8. treatment method of virus, it is characterised in that including:
    Obtain Polymorph virus infected file;
    The Polymorph virus infected file is loaded by Instruction set simulator;
    The Polymorph virus infected file is performed by the Instruction set simulator, and obtains the Instruction set simulator described in execution The instruction set generated during Polymorph virus infected file;
    By preset instructions feature compared with the instruction in the instruction set, to obtain decrypted positions;And according to the solution Mil, which is put, repairs the Polymorph virus infected file;
    Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;
    It is described to specifically include preset instructions feature to obtain decrypted positions compared with the instruction in the instruction set:
    If the instruction in the instruction set is identical with the preset instructions feature, obtain identical with the preset instructions feature Instruction corresponding to position, and using the position as decrypted positions.
  9. 9. treatment method of virus as claimed in claim 8, it is characterised in that after the acquisition decrypted positions, in addition to:
    Obtain and instructed corresponding to the decrypted positions;
    Obtain the state for performing register in Instruction set simulator when being instructed corresponding to the decrypted positions;
    Decruption key is generated according to the state of register in the Instruction set simulator.
  10. 10. treatment method of virus as claimed in claim 8, it is characterised in that it is described loaded by Instruction set simulator it is described more State virus infected file specifically includes:
    Read the file content of the Polymorph virus infected file;And
    The file content of the Polymorph virus infected file read is transmitted to the Instruction set simulator.
  11. 11. treatment method of virus as claimed in claim 8, it is characterised in that described according to repairing the decrypted positions Polymorph virus infected file specifically includes:
    Held by the Instruction set simulator to being infected code corresponding to decrypted positions described in the Polymorph virus infected file Row decruption key is to obtain normal code corresponding to the infected code of the Polymorph virus infected file;
    Polymorph virus infected file and the normal code are sent to cleaning engine;And
    By the cleaning engine using the normal code reparation in the decrypted positions, and remove the Polymorph virus infection The viral code of file.
  12. A kind of 12. virus treated device, it is characterised in that including:Infect sample acquisition module, Instruction set simulator, instruction analysis Module and cleaning engine, wherein,
    The infection sample acquisition module, for infecting file destination by Polymorph virus, and will obtain infected file as Polymorph virus infected file;
    The Instruction set simulator, for loading the Polymorph virus infected file, and perform the Polymorph virus infected file;
    The instruction analysis module, generated for obtaining the Instruction set simulator when performing the Polymorph virus infected file Instruction set, and by preset instructions feature compared with the instruction in the instruction set, to obtain decrypted positions;And
    The cleaning engine, for repairing the Polymorph virus infected file according to the decrypted positions;
    Wherein, viral encrypted location is identical with the decrypted positions for repairing Polymorph virus infected file;
    Wherein, if the instruction in the instruction set is identical with the preset instructions feature, the instruction analysis module obtains With the corresponding position of preset instructions feature identical instruction, and using the position as decrypted positions.
  13. 13. virus treated device as claimed in claim 12, it is characterised in that the instruction analysis module specifically includes:
    Instruction set acquisition submodule, the instruction set acquisition submodule are described polymorphic in execution for obtaining the Instruction set simulator The instruction set generated during viral infected file;And
    Comparison sub-module, the comparison sub-module are used for by preset instructions feature compared with the instruction in the instruction set, To obtain decrypted positions.
  14. 14. virus treated device as claimed in claim 12, it is characterised in that the instruction analysis module also includes:
    Acquisition submodule is instructed, the instruction acquisition submodule, which is used to obtain corresponding to the decrypted positions, to be instructed;
    Buffer status acquisition submodule, it is corresponding that the buffer status acquisition submodule is used for the acquisition execution decrypted positions Instruction when the Instruction set simulator in register state;And
    Decruption key generates submodule, and the decruption key generation submodule is used for according to register in the Instruction set simulator State generates decruption key.
  15. 15. virus treated device as claimed in claim 12, it is characterised in that also include:
    Pretreatment module, the pretreatment module is used for the file content for reading the Polymorph virus infected file, and will read To the file content of the Polymorph virus infected file transmit to the Instruction set simulator.
  16. 16. virus treated device as claimed in claim 12, it is characterised in that the Instruction set simulator also includes:
    Sample read module, the sample read module are used for the file content for reading the Polymorph virus infected file;And
    Sample execution module, the sample execution module is used for the file content for receiving the Polymorph virus infected file, and holds The file content of the row Polymorph virus infected file, and decruption key is performed to obtain the infected portion of the file destination Normal code corresponding to point.
  17. 17. virus treated device as claimed in claim 12, it is characterised in that the cleaning engine specifically includes:
    Information receiving module, described information receiving module are used to receive the Polymorph virus infected file and normal code;
    Code replacement module, the code replacement module are used for the infected part that the file destination is replaced by normal code Code;And
    Viral cleaning modul, the viral cleaning modul are used to remove the viral code being replaced.
CN201410281375.XA 2014-06-20 2014-06-20 The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus Active CN104077526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410281375.XA CN104077526B (en) 2014-06-20 2014-06-20 The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410281375.XA CN104077526B (en) 2014-06-20 2014-06-20 The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus

Publications (2)

Publication Number Publication Date
CN104077526A CN104077526A (en) 2014-10-01
CN104077526B true CN104077526B (en) 2018-03-06

Family

ID=51598776

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410281375.XA Active CN104077526B (en) 2014-06-20 2014-06-20 The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus

Country Status (1)

Country Link
CN (1) CN104077526B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107038375A (en) * 2017-03-22 2017-08-11 国家计算机网络与信息安全管理中心 A kind of decryption method and system for obtaining infected host program
CN107231360A (en) * 2017-06-08 2017-10-03 上海斐讯数据通信技术有限公司 Network virus protection method, safe wireless router and system based on cloud network
WO2019071513A1 (en) * 2017-10-12 2019-04-18 深圳传音通讯有限公司 Data encryption method and data encryption system for intelligent terminal
CN112784270A (en) * 2021-01-18 2021-05-11 仙境文化传媒(武汉)有限公司 System and method for loading code file by annotation mode

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102867144A (en) * 2012-09-06 2013-01-09 北京奇虎科技有限公司 Method and device for detecting and removing computer viruses
CN102985928A (en) * 2010-07-13 2013-03-20 F-赛酷公司 Identifying polymorphic malware

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0513375D0 (en) * 2005-06-30 2005-08-03 Retento Ltd Computer security

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102985928A (en) * 2010-07-13 2013-03-20 F-赛酷公司 Identifying polymorphic malware
CN102867144A (en) * 2012-09-06 2013-01-09 北京奇虎科技有限公司 Method and device for detecting and removing computer viruses

Also Published As

Publication number Publication date
CN104077526A (en) 2014-10-01

Similar Documents

Publication Publication Date Title
CN104077526B (en) The analysis method and analytical equipment and treatment method of virus and processing unit of Polymorph virus
CN104463002B (en) A kind of method and apparatus of reinforcing APK and APK reinforce client and server
CN104539432B (en) A kind of method and apparatus that file is signed
Papagiannopoulos et al. Mind the gap: Towards secure 1st-order masking in software
KR101603751B1 (en) Instruction word compression apparatus and method for instruction level parallelism computer
Williams et al. Security through diversity: Leveraging virtual machine technology
WO2016094840A2 (en) System, method & computer readable medium for software protection via composable process-level virtual machines
WO2009100249A3 (en) Trusted field-programmable logic circuitry
CN104866734B (en) A kind of guard method of DEX file and device
JP2009116847A (en) Device and method for inspecting software for vulnerabilities
US20170323098A1 (en) Information assurance system for secure program execution
Rahimian et al. On the reverse engineering of the citadel botnet
DE602006017387D1 (en) SYSTEM AND METHOD FOR PROCESSING SAFE TRANSMISSIONS
GB2483575A (en) Method and apparatus for performing a shift and exclusive or operation in a single instruction
CN104573427B (en) Method and apparatus are obscured in a kind of executable application
CN105074712A (en) Code processing device and program
US20150169881A1 (en) Method And Apparatus For Providing String Encryption And Decryption In Program Files
CN104573426B (en) Method and apparatus are obscured in a kind of executable application
Follner et al. Analyzing the gadgets: towards a metric to measure gadget quality
JP5941859B2 (en) Verification device, verification method, and program
CN110147653A (en) Application security reinforcement means and device
CN107368713B (en) Protect the method and security component of software
CN104680043B (en) A kind of guard method of executable file and device
CN106650337A (en) Method and device for processing script file in installation package
US20130219501A1 (en) Malicious code real-time inspecting device in a drm environment and recording medium for recording a program to execute a method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20181210

Address after: 519030 Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Seal Interest Technology Co., Ltd.

Address before: 519070, six level 601F, 10 main building, science and technology road, Tangjia Bay Town, Zhuhai, Guangdong.

Patentee before: Zhuhai Juntian Electronic Technology Co.,Ltd.