CN111310184A - Method and system for generating pe file feature code based on rich head identification, electronic device and storage medium - Google Patents
Method and system for generating pe file feature code based on rich head identification, electronic device and storage medium Download PDFInfo
- Publication number
- CN111310184A CN111310184A CN202010148190.7A CN202010148190A CN111310184A CN 111310184 A CN111310184 A CN 111310184A CN 202010148190 A CN202010148190 A CN 202010148190A CN 111310184 A CN111310184 A CN 111310184A
- Authority
- CN
- China
- Prior art keywords
- rich
- feature code
- header information
- file
- generating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to the technical field of pe file feature code generation, in particular to a method, a system, electronic equipment and a storage medium for generating a pe file feature code based on a rich head identifier; the invention discloses a method, a system, electronic equipment and a storage medium for generating a feature code of a pe file based on a rich head identifier, wherein the feature code generating method comprises the following steps: extracting rich header information of the pe format file; calculating a hash value according to the rich header information, and generating a feature code based on the rich header information; the rich header information is closely related to a compiling environment and a compiler, and the environments rarely change in the life cycle of the malicious software, so that the accuracy of identifying the malicious software is improved; even if pe-format malware is obfuscated and circumvented by software such as shell software, which results in the fact that the conventional feature codes cannot identify the malware, the malware can still be identified based on the rich header information because the shell software does not change the rich header information.
Description
Technical Field
The invention relates to the technical field of pe file feature code generation, in particular to a method and a system for generating a pe file feature code based on a rich head identifier, electronic equipment and a storage medium.
Background
The feature code is a series of binary strings that the security company determines that only the malware is likely to have when analyzing the malware, and the features can be distinguished from other viruses or normal programs, and usually hash the program blocks, character strings and constant values to obtain feature values.
The conventional malicious software static checking and killing refers to safety protection software, corresponding position data are extracted from the pe program according to existing malicious software feature codes, comparison is carried out, and whether the pe program is malicious software or not is judged.
PE is the mainstream executable file format on the Windows platform at present, and comprises common executable program EXE files, dynamic link library DLL files and the like.
Since the release of the Visual Studio 97SP3 compiler, rich header information is added between DOS and PE headers of Microsoft compiled PE files, which contains information of the compilation environment, product identification, its internal version number, and the number of times the product was used in the build process. Version 2019, the visualstudio, still includes rich header information. These information just can not change after pe file is compiled, and common software that adds the shell is handled the back to pe file moreover, and these information also can not change, so can effective sign pe file uniqueness.
The existing malicious software usually processes the pe file by methods such as shell adding and the like, so that the feature code detection is avoided. The source code of the malicious software is changed slightly, or the characteristic value is completely changed by adopting different shell software. Therefore, malicious software often avoids the existing feature code detection method through a shell adding method.
Therefore, in order to solve the above problems, it is urgently needed to invent a pe file feature code generation method, system, electronic device and storage medium based on a rich header identifier.
Disclosure of Invention
The invention aims to: a method, a system, an electronic device and a storage medium for generating a pe file feature code based on a rich header identifier are provided, which are used as a supplement and improvement of the existing feature code.
The invention provides the following scheme:
a pe file feature code generation method based on a rich header identifier comprises the following steps:
extracting rich header information of the pe format file;
and calculating a hash value according to the rich header information, and generating a feature code based on the rich header information.
Further comprising:
the pe-format malware is uniquely identified with the rich header information based feature code along with other feature codes.
The rich header information includes information of the compilation environment, the product identification, its internal version number, and the number of times the product is used in the build process.
The format of the rich header information includes the start DanS, code 0x536E 6144; end Rich, code 0x 68636952; and a compilation environment.
A pe file feature code generation system based on a rich head identifier, which realizes the pe file feature code generation method based on the rich head identifier, comprises:
the extraction module is used for extracting the rich header information of the pe format file;
and the generating module is used for calculating the hash value according to the rich header information and generating the feature code based on the rich header information.
Further comprising:
and the identification module is used for uniquely identifying the pe-format malicious software together with other feature codes by utilizing the feature code based on the rich header information.
The rich header information includes information of the compilation environment, the product identification, its internal version number, and the number of times the product is used in the build process.
The format of the rich header information includes the start DanS, code 0x536E 6144; end Rich, code 0x 68636952; and a compilation environment.
An electronic device comprising a memory and a processor; the memory is used for storing a computer program; the processor executes the computer program in the memory to realize the method for generating the pe file feature code based on the rich header identifier.
A computer readable storage medium storing a computer program, which when executed by a processor, is configured to implement the pe file feature code generation method based on the rich header identifier.
The invention has the following beneficial effects:
the invention discloses a method, a system, electronic equipment and a storage medium for generating a feature code of a pe file based on a rich head identifier, wherein the feature code generating method comprises the following steps: extracting rich header information of the pe format file; calculating a hash value according to the rich header information, and generating a feature code based on the rich header information; the rich header information is closely related to a compiling environment and a compiler, and the environments rarely change in the life cycle of the malicious software, so that the accuracy of identifying the malicious software is improved; even if pe-format malware is obfuscated and avoided by adopting software such as shell adding and the like, so that codes, character strings and constant information are changed, and the conventional feature codes cannot identify the malware, the shell adding software does not change the rich header information, so that the malware can be identified based on the rich header information; through the rich header information, the evolution and the change of the pe format malware compiling environment can be checked, and therefore the development track of the malware is traced.
Drawings
FIG. 1 is a block diagram illustrating a process of generating a pe file feature code based on a rich header identifier according to the present invention.
FIG. 2 is a block diagram of a pe file feature code generation system based on a rich header id according to the present invention.
Fig. 3 is a schematic structural diagram of an electronic device according to the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Referring to fig. 1, a method for generating a pe file feature code based on a rich header identifier includes the following steps:
extracting rich header information of the pe format file;
and calculating a hash value according to the rich header information, and generating a feature code based on the rich header information.
Further comprising:
the pe-format malware is uniquely identified with the rich header information based feature code along with other feature codes.
The rich header information includes information of the compilation environment, the product identification, its internal version number, and the number of times the product is used in the build process.
The format of the rich header information includes the start DanS, code 0x536E 6144; end Rich, code 0x 68636952; and a compilation environment.
Referring to fig. 2, a pe file feature code generation system based on a rich head identifier, which implements the pe file feature code generation method based on a rich head identifier, includes:
the extraction module is used for extracting the rich header information of the pe format file;
and the generating module is used for calculating the hash value according to the rich header information and generating the feature code based on the rich header information.
Further comprising:
and the identification module is used for uniquely identifying the pe-format malicious software together with other feature codes by utilizing the feature code based on the rich header information.
The rich header information includes information of the compilation environment, the product identification, its internal version number, and the number of times the product is used in the build process.
The format of the rich header information includes the start DanS, code 0x536E 6144; end Rich, code 0x 68636952; and a compilation environment.
Referring to fig. 3, an electronic device includes a memory 501 and a processor 502; the memory is used for storing a computer program; the processor executes the computer program in the memory to realize the method for generating the pe file feature code based on the rich header identifier.
Further, a computer-readable storage medium is provided, which stores a computer program, and when the computer program is executed by a processor, the computer program is used for implementing the pe file feature code generation method based on the rich header identifier.
In this embodiment, the method, the system, the electronic device, and the storage medium for generating a feature code of a pe file based on a rich header identifier include the following steps: extracting rich header information of the pe format file; calculating a hash value according to the rich header information, and generating a feature code based on the rich header information; the rich header information is closely related to a compiling environment and a compiler, and the environments rarely change in the life cycle of the malicious software, so that the accuracy of identifying the malicious software is improved; even if pe-format malware is obfuscated and avoided by adopting software such as shell adding and the like, so that codes, character strings and constant information are changed, and the conventional feature codes cannot identify the malware, the shell adding software does not change the rich header information, so that the malware can be identified based on the rich header information; through the rich header information, the evolution and the change of the pe format malware compiling environment can be checked, and therefore the development track of the malware is traced.
In the method for generating a pe file feature code based on a rich header identifier in this embodiment, the specific process is as follows:
1, when analyzing pe-format malicious software, a security company extracts rich header information, including information of a compiling environment, a product identifier, an internal version number of the product and the number of times of using the product in a construction process;
2, calculating a hash value according to the rich header information, and generating a feature code based on the rich header information;
3 together with other signatures uniquely identify pe format malware.
In the method for generating a pe file feature code based on a Rich header identifier in this embodiment, the Rich header information includes information such as a start DanS (0x536E6144), an end Rich (0x68636952), and a compiling environment, which is shown in the following table:
for simplicity of explanation, the method embodiments are described as a series of acts or combinations, but those skilled in the art will appreciate that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently with other steps in accordance with the embodiments of the invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A pe file feature code generation method based on a rich head identifier is characterized by comprising the following steps: the method comprises the following steps:
extracting rich header information of the pe format file;
and calculating a hash value according to the rich header information, and generating a feature code based on the rich header information.
2. The method for generating a pe file feature code based on a rich header identifier of claim 1, wherein: further comprising:
the pe-format malware is uniquely identified with the rich header information based feature code along with other feature codes.
3. The method for generating a pe file feature code based on a rich header identifier as claimed in claim 2, wherein: the rich header information includes information of the compilation environment, the product identification, its internal version number, and the number of times the product is used in the build process.
4. The method for generating a pe file feature code based on a rich header identifier as claimed in claim 3, wherein: the format of the rich header information includes the start DanS, code 0x536E 6144; end Rich, code 0x 68636952; and a compilation environment.
5. A pe file feature code generation system based on the rich head identifier, which realizes the pe file feature code generation method based on the rich head identifier as claimed in claim 1, wherein: the method comprises the following steps:
the extraction module is used for extracting the rich header information of the pe format file;
and the generating module is used for calculating the hash value according to the rich header information and generating the feature code based on the rich header information.
6. The system of claim 5, wherein the pe file feature code generation system based on the rich header id comprises: further comprising:
and the identification module is used for uniquely identifying the pe-format malicious software together with other feature codes by utilizing the feature code based on the rich header information.
7. The system of claim 6, wherein the pe file feature code generation system based on the rich header id comprises: the rich header information includes information of the compilation environment, the product identification, its internal version number, and the number of times the product is used in the build process.
8. The pe file feature code generation system based on rich header identification of claim 7, wherein: the format of the rich header information includes the start DanS, code 0x536E 6144; end Rich, code 0x 68636952; and a compilation environment.
9. An electronic device, characterized in that: comprising a memory and a processor; the memory is used for storing a computer program; the processor executes the computer program in the memory to implement the pe file feature code generation method based on the rich header identification as claimed in any one of claims 1 to 4.
10. A computer-readable storage medium characterized by: a computer program is stored, which when executed by a processor, is adapted to implement the pe file feature code generation method based on the rich header identification as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148190.7A CN111310184A (en) | 2020-03-05 | 2020-03-05 | Method and system for generating pe file feature code based on rich head identification, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148190.7A CN111310184A (en) | 2020-03-05 | 2020-03-05 | Method and system for generating pe file feature code based on rich head identification, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111310184A true CN111310184A (en) | 2020-06-19 |
Family
ID=71158596
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010148190.7A Pending CN111310184A (en) | 2020-03-05 | 2020-03-05 | Method and system for generating pe file feature code based on rich head identification, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111310184A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663281A (en) * | 2012-03-16 | 2012-09-12 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting malicious software |
| CN103886229A (en) * | 2014-03-10 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for extracting PE file features |
| CN109543408A (en) * | 2018-10-29 | 2019-03-29 | 卓望数码技术(深圳)有限公司 | A kind of Malware recognition methods and system |
| CN109960932A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | File test method, device and terminal device |
-
2020
- 2020-03-05 CN CN202010148190.7A patent/CN111310184A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663281A (en) * | 2012-03-16 | 2012-09-12 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting malicious software |
| CN103886229A (en) * | 2014-03-10 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for extracting PE file features |
| CN109960932A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | File test method, device and terminal device |
| CN109543408A (en) * | 2018-10-29 | 2019-03-29 | 卓望数码技术(深圳)有限公司 | A kind of Malware recognition methods and system |
Non-Patent Citations (2)
| Title |
|---|
| MAKSIM DUBYK: "Leveraging the PE Rich Header for Static Malware Detection and Linking", 《SANS》 * |
| PETER KÁLNAI.ET AL: "rich headers:leveraging the mysterious artifact of the PE format", 《VB2019》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9690935B2 (en) | Identification of obfuscated computer items using visual algorithms | |
| US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
| US20160142437A1 (en) | Method and system for preventing injection-type attacks in a web based operating system | |
| WO2016135729A1 (en) | A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
| CN110574028B (en) | Method for protecting software code | |
| US9038161B2 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
| CN108959071B (en) | RASP-based PHP deformation webshell detection method and system | |
| US10409572B2 (en) | Compiled file normalization | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN104462986A (en) | Detecting method and device of loophole triggering threats in PDF | |
| CN106874758A (en) | A kind of method and apparatus for recognizing document code | |
| CN110520860B (en) | Method for protecting software code | |
| CN111310184A (en) | Method and system for generating pe file feature code based on rich head identification, electronic device and storage medium | |
| CN114186233A (en) | Code anti-obfuscation method, device, electronic equipment and storage medium | |
| CN109446809B (en) | Malicious program identification method and electronic device | |
| CN111898120A (en) | Control flow integrity protection method and device | |
| CN105590058A (en) | Virtual machine escape detection method and apparatus | |
| CN107239703B (en) | Dynamic analysis method for executable program with dynamic link library missing | |
| KR102494838B1 (en) | Methods and apparatus for disarming a link on documentsummaryinformation stream in ms-cfb | |
| Nguyen-Tuong et al. | To B or not to B: blessing OS commands with software DNA shotgun sequencing | |
| CN112199159B (en) | Method, device, equipment and storage medium for reading and writing operand stack and variable table | |
| CN113536297B (en) | Buffer overflow attack defense method and device based on RISC-V and Canary mechanism | |
| KR102538664B1 (en) | Methods and apparatus for the disarming of link in the formula function in excel document | |
| CN110826066B (en) | Code abstract generation method, device and computer storage medium | |
| KR102494836B1 (en) | Methods and apparatus for disarming a link in ms-doc |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |
|
| RJ01 | Rejection of invention patent application after publication |