CN112580034B - Method and device for verifying unshelled file, storage medium and computer equipment - Google Patents
Method and device for verifying unshelled file, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112580034B CN112580034B CN201910943731.2A CN201910943731A CN112580034B CN 112580034 B CN112580034 B CN 112580034B CN 201910943731 A CN201910943731 A CN 201910943731A CN 112580034 B CN112580034 B CN 112580034B
- Authority
- CN
- China
- Prior art keywords
- file
- shelled
- execution
- shell
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The application discloses a method and a device for verifying a shelled file, a storage medium and computer equipment, wherein the method comprises the following steps: executing a shell-contained file in a virtual machine, and acquiring a shell removal file corresponding to the shell-contained file from an execution memory of the virtual machine after the execution is finished; extracting character strings of the shelled files and the shelled files respectively, and counting the number of the character strings of the shelled files and the number of the character strings of the shelled files; calculating the character string expansion ratio of the unshelled file according to the number of the character strings of the shelled file and the number of the character strings of the unshelled file; and if the character string expansion ratio is larger than or equal to a preset character string expansion threshold value, determining that the shelling of the shelled file is successful. Whether shelling of the sample that this application can be effectual quick judgement virtual machine execution succeeds, help the quick screening of virtual machine developer and sample operation personnel not to shell the file, in time analyze the virtual machine potential problem.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a method and an apparatus for verifying a shell-removed file, a storage medium, and a computer device.
Background
Adding a shell to a binary file has become a technical means with wider application in the field of computer information security, and the shell is roughly divided into: the software protection system comprises a compression shell, an encryption shell, a protection shell and the like, and is mainly used for preventing commercial software from being subjected to reverse engineering, and in the directions of compressing the software and avoiding antivirus software to kill.
In order to check and kill the shell-added malicious software, the existing antivirus software usually performs shell removal operation on the shell-added malicious software, performs feature matching on the generated new binary data after shell removal to check and kill the new binary data, and shells a target executable file. The malware author modifies the shelled malware in order to fight against killing, but based on the shelling method, for each type of shell, separate analysis and coding are required to be conducted to remove the shell, and if a new version or a modified version is released, analysis and coding are required to be conducted again, and a large amount of manpower and material resources are required to be invested.
File unshelling is the basis of virus killing, and how to verify whether file unshelling is successful is a fundamental problem to be solved urgently in the field.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for verifying a decapsulated file, a storage medium, and a computer device.
According to an aspect of the present application, there is provided a method for verifying a shell file, including:
executing a shell-contained file in a virtual machine, and acquiring a shell removal file corresponding to the shell-contained file from an execution memory of the virtual machine after the execution is finished;
extracting character strings of the shelled files and the shelled files respectively, and counting the number of the character strings of the shelled files and the number of the character strings of the shelled files;
calculating the character string expansion ratio of the unshelled file according to the number of the character strings of the shelled file and the number of the character strings of the unshelled file;
and if the character string expansion ratio is larger than or equal to a preset character string expansion threshold value, determining that the shelling of the shelled file is successful.
Specifically, if the string expansion ratio is greater than or equal to a preset shelling success threshold, it is determined that the shelling of the shelled file is successful, and the method specifically includes:
if the expansion ratio of the character string is larger than or equal to a preset shelling success threshold value, calculating a file size increment of the shelled file according to the file size of the shelled file and the file size of the shelled file;
and if the file size increment is larger than or equal to a preset file size increment threshold value, determining that the shelling of the file with the shell is successful.
Specifically, the string expansion ratio of the dehulled file is (the number of strings of the dehulled file-the number of strings of the shelled file)/the number of strings of the shelled file.
Specifically, the executing a shell-attached file in a virtual machine, and obtaining a shell-removed file corresponding to the shell-attached file from an execution memory of the virtual machine after the execution is finished, specifically includes:
allocating, by using a memory management module of the virtual machine, a corresponding execution memory block to the shelled file in the virtual machine, so that when the shelled file is executed in the virtual machine, a shell removal program included in a shell of the shelled file is used to release the shell removal file corresponding to the target program from the execution memory block;
acquiring the execution memory blocks distributed for the shell files by the memory management module;
and after the execution of the file with the shell is finished, backing up the execution memory block, and extracting the shell file from the backup file of the execution memory block.
Specifically, before executing the shelled file in the virtual machine, the method further includes:
and screening the shelled files from the sample files according to the preset compressed shell characteristics, wherein the shell types of the shelled files comprise compressed shells.
Specifically, the method further comprises:
and if the character string expansion ratio is smaller than the preset character string expansion threshold or the character string expansion ratio is smaller than the preset shelling success threshold, executing the shelled file in the virtual machine again, and acquiring a new shelled file corresponding to the shelled file from an execution memory of the virtual machine after the execution is finished.
Specifically, the method further comprises:
and if the execution times of the shelled file in the virtual machine exceed a preset execution time threshold, reporting the shelled file and an execution log corresponding to the shelled file to a shelling management center.
According to another aspect of the present application, there is provided a device for verifying a naked file, including:
the shelling module is used for executing the shelled files in the virtual machine and acquiring the shelled files corresponding to the shelled files from the execution memory of the virtual machine after the execution is finished;
the character string extraction module is used for respectively extracting character strings of the shelled files and counting the number of the character strings of the shelled files and the number of the character strings of the shelled files;
the expansion ratio calculation module is used for calculating the expansion ratio of the character strings of the unshelled file according to the number of the character strings of the shelled file and the number of the character strings of the unshelled file;
and the shelling analysis module is used for determining that the shelling of the shelled file is successful if the character string expansion ratio is greater than or equal to a preset character string expansion threshold value.
Specifically, the shelling analysis module specifically includes:
the analysis unit is used for calculating the file size increment of the unshelled file according to the file size of the unshelled file and the file size of the shelled file if the expansion ratio of the character string is greater than or equal to a preset unshelling success threshold;
and the determining unit is used for determining that the shelling of the file with the shell is successful if the size increment of the file is larger than or equal to a preset file size increment threshold value.
Specifically, the string expansion ratio of the dehulled file is (the number of strings of the dehulled file-the number of strings of the shelled file)/the number of strings of the shelled file.
Specifically, the shelling module specifically includes:
a memory allocation unit, configured to allocate, by using a memory management module of the virtual machine, a corresponding execution memory block for the shelled file in the virtual machine, so that when the shelled file is executed in the virtual machine, a shelled program included in a shell of the shelled file is used to release the shelled file corresponding to the target program in the execution memory block;
a memory obtaining unit, configured to obtain the execution memory block allocated by the memory management module for the shelled file;
and the shelling unit is used for backing up the execution memory block after the execution of the file with the shell is finished, and extracting the shelling file from the backup file of the execution memory block.
Specifically, the apparatus further comprises:
the first shelled file determining module is used for screening the shelled files from the sample files according to preset compressed shell characteristics before executing the shelled files in the virtual machine, wherein the shell types of the shelled files comprise compressed shells.
Specifically, the apparatus further comprises:
and a second shelled file determining module, configured to execute the shelled file again in the virtual machine if the string expansion ratio is smaller than the preset string expansion threshold or the string expansion ratio is smaller than the preset successful shelling threshold, and obtain a new shelled file corresponding to the shelled file from an execution memory of the virtual machine after the execution is finished.
Specifically, the apparatus further comprises:
and the reporting module is used for reporting the shelled file and the execution log corresponding to the shelled file to a shelling management center if the execution times of the shelled file in the virtual machine exceed a preset execution time threshold.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above method of validating a dehulled file.
According to yet another aspect of the present application, there is provided a computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the above method for validating a de-shelled file when executing the program.
By means of the technical scheme, according to the method and device for verifying the shell-removed file, the storage medium and the computer device, the character string extraction is conducted on the shell-attached file and the shell-removed file obtained through the virtual machine through the character string extraction tool, the number of the character strings of the shell-attached file and the number of the character strings of the shell-removed file are counted, then the expansion ratio of the character strings of the shell-removed file is calculated, and whether the file is a file which is successfully shell-removed or not is confirmed by combining the preset expansion threshold of the character strings. Whether shelling of the sample that this application can be effectual quick judgement virtual machine execution succeeds, helps the quick screening of virtual machine developer and sample operation personnel not to shell the file, and the latent problem of in time analysis virtual machine promotes its quick discovery problem.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for verifying a shell file according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another method for verifying a decapsulated file according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating a device for verifying a decapsulated file according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of another device for verifying a decapsulated file according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a method for verifying a shell file is provided, as shown in fig. 1, the method includes:
step 101, executing a shell-contained file in a virtual machine, and acquiring a shell removal file corresponding to the shell-contained file from an execution memory of the virtual machine after the execution is finished;
102, extracting character strings of the shelled files and the shelled files respectively, and counting the number of the character strings of the shelled files and the number of the character strings of the shelled files;
103, calculating the expansion ratio of the character strings of the unshelled file according to the number of the character strings of the shelled file and the number of the character strings of the unshelled file;
and 104, if the expansion ratio of the character string is greater than or equal to a preset character string expansion threshold, determining that the shelling of the shelled file is successful.
In the above embodiment, after the virtual machine executes the shelled file, the corresponding shelled file is obtained from the execution memory of the virtual machine, and then the comparison analysis is performed according to the shelled file and the original file, that is, the shelled file, to determine whether the original file has been shelled successfully, specifically, the character string extraction tool may be used to perform character string extraction on the original file and the shelled file, and calculate the number of character strings of the original file and the number of character strings of the shelled file, then, the expansion ratio of the character strings after the shelling of the shelled file is calculated according to the number of character strings of the original file and the number of character strings of the shelled file, and the expansion ratio of the character strings is used to determine whether the original file has been shelled successfully, specifically, the embodiment of the present application is mainly used to determine whether the file with the compressed shell has been shelled successfully, and the compressed shell is implemented by compressing the binary code of the original file, if the file is not shelled successfully by using the conventional characteristic scanning method, it can be determined that the original file is shelled successfully if the expansion ratio of the character string is greater than or equal to the preset expansion threshold of the character string.
It should be noted that the above embodiments may be used to quickly screen a file with successful shelling, where the preset string expansion threshold is obtained by counting a large number of shelled samples and their corresponding shelled samples.
In addition, the method and the device for processing the object file can also be used for judging whether the object file is a shell-added file, specifically, firstly, executing a first object file in the virtual machine, and acquiring a second object file corresponding to the first object file from an execution memory of the virtual machine after the execution is finished; secondly, extracting character strings of the first target file and the second target file respectively, and counting the number of the character strings of the first target file and the number of the character strings of the second target file; then, according to the number of character strings of the first target file and the number of character strings of the second target file, calculating the expansion ratio of the character strings of the second target file; and finally, if the expansion ratio of the character string is greater than or equal to a preset character string expansion threshold value, determining that the first target file is a shell-added file.
By applying the technical scheme of the embodiment, the character string extraction tool is used for extracting the character strings of the shelled file and the shelled file obtained by the virtual machine, the number of the character strings of the shelled file and the number of the character strings of the shelled file are counted, and then the expansion ratio of the character strings of the shelled file is calculated, so that whether the file is a file with successful shelling or not is determined by combining a preset expansion threshold of the character strings. Whether shelling of the sample that this application can be effectual quick judgement virtual machine execution succeeds, helps the quick screening of virtual machine developer and sample operation personnel not to shell the file, and the latent problem of in time analysis virtual machine promotes its quick discovery problem.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully illustrate the specific implementation process of this embodiment, another method for verifying a decapsulated file is provided, as shown in fig. 2, where the method includes:
step 201, screening out a shell-contained file from the sample file according to the preset characteristics of the compressed shell, wherein the shell type of the shell-contained file comprises the compressed shell.
and step 204, after the execution of the shelled file is finished, backing up the execution memory block, and extracting the shelled file from the backup file of the execution memory block.
In steps 201 to 204, first, a file with a compressed shell is screened from a sample file by a shell feature static scanning technology, then, a virtual machine is used to execute a file with a shell, and an execution memory block used when the file with the shell is executed is found in a virtual memory of the virtual machine. The shell removing file with the shell file can be obtained without analyzing and encoding the shell of the file in advance, determining the time point of the complete shell removing of the file in advance and influencing the real computer environment. The reason why the shelling file is obtained in the above manner is that in the existing shelling technology, the target executable file is shelled, and more importantly, a static shelling manner is used, that is, each shell is analyzed and then encoded, so that the purpose of shelling is achieved. For each type of shell, separate analysis is needed, encoding can be performed to remove the shell, if a new version or a modified version is released, analysis and encoding need to be performed again, considerable manpower and material resources need to be invested, and if dynamic shell removal is adopted, a real environment is affected by executing a file with the shell in a real computer system.
and 208, if the file size increment is larger than or equal to the preset file size increment threshold, determining that the shelling of the shelled file is successful.
In any of the embodiments described above, specifically, the string expansion ratio of the dehulled file is (number of strings of dehulled file-number of strings of shelled file)/number of strings of shelled file.
In steps 205 to 208, it is determined whether the file is shelled successfully, and the file size increment of the shelled file may be considered according to a string expansion ratio of the shelled file, where the string expansion ratio of the shelled file is (the number of strings of the shelled file-the number of strings of the shelled file)/the number of strings of the shelled file. For example, if the number of character strings of the shelled file is 2000 and the number of character strings of the shelled file is 2500, the expansion ratio of the character strings is (2500-. The file size increment is (file size of the dehulled file-file size of the shelled file)/file size of the shelled file. And when the expansion ratio of the character strings and the size increment of the file are larger than or equal to corresponding threshold values, the original file is considered to be successfully shelled.
And step 210, if the execution times of the shelled file in the virtual machine exceed a preset execution time threshold, reporting the shelled file and an execution log corresponding to the shelled file to a shelling management center.
In step 209 and step 210, if a certain shelled file is determined to have been unsuccessfully shelled by the above determination, the original file may be executed again in the virtual machine, and re-determined by the above methods in step 202 to step 208, if it is determined that the number of times of shelling failure exceeds the preset execution number threshold, the shelled file and the execution log corresponding to the shelled file are reported to the shelling management center, and the shelling management center is used to analyze the file with shelling failure, so as to find and solve the potential problem of the virtual machine, so as to improve the accuracy of shelling success.
In addition, the embodiment of the present application further provides a method for detecting whether a shelled file contains a virus based on the foregoing shelling determination method, and specifically, after determining that the shelled file is successfully shelled, the following steps may be performed:
step 1, executing a shelling file in a virtual machine;
step 2, recording a stub function in the virtual machine called when the shelling file is executed;
step 3, analyzing the called stub function to obtain the execution characteristics of the shelling file;
and 4, judging whether the file with the shell contains the virus or not according to the execution characteristics of the file with the shell.
In the steps 1 to 4, firstly, the virtual machine loads and runs the shelling file corresponding to the shelled file, and records the calling stub function of the shelling file in the execution process of the shelling file; secondly, analyzing the execution characteristics of the shell file aiming at the recorded stub function called by the shell file, wherein the process of analyzing the execution characteristics is equivalent to translating the sequence of calling the stub function into corresponding characteristics, for example, translating a series of stub function execution codes into a flow description form, and using the execution characteristics of the shell file as the basis of virus detection; and finally, analyzing whether the program is a virus program or not through the execution characteristics of the shelling file so as to realize virus detection based on the virtual machine.
In step 4 of the embodiment of the present application, the following several implementations of virus detection may be included:
the implementation mode A is as follows:
and step A, if the execution characteristics of the unshelled file hit the malicious execution characteristics contained in the preset execution characteristic blacklist, judging that the unshelled file contains viruses.
Specifically, step a may further include the following steps:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, inquiring whether the execution characteristics of the shelling file belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step A3, if the execution characteristics of the uncoated file belong to malicious execution characteristics, determining that the shelled file contains virus.
Step A4, if the execution characteristics of the shelled file do not belong to malicious execution characteristics, querying whether the execution characteristics of the shelled file belong to security execution characteristics contained in a preset execution characteristic white list;
step A5, if the execution feature of the shell file belongs to the security execution feature, determining that the shell file does not contain virus.
Step A6, if the execution characteristics of the shelling file do not belong to the safe execution characteristics, the shelling file is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so that the virus management system is utilized to analyze whether the suspicious program contains viruses.
In the step A, whether the file with the shell is infected or not is judged by utilizing a preset execution characteristic list, the preset execution characteristic list comprises a black list and a white list, malicious execution characteristics corresponding to the virus program are stored in the black list in advance, and safety execution characteristics corresponding to the safety program are stored in the white list in advance. And if the execution characteristics of the shelled files do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
The implementation mode B is as follows:
step B1, calculating a virus reporting detection value of the shelled file according to the execution characteristics of the shelled file and a preset execution characteristic virus reporting experience value, wherein the virus reporting detection value of the shelled file is the sum of preset execution characteristic virus reporting experience values corresponding to the execution characteristics of the shelled file;
and step B2, determining whether the file with the shell contains the virus according to the relation between the virus report detection value of the file with the shell and a preset virus experience value.
As an example, assuming that the execution characteristics of the shelling file include A, B, C, D, and the expected execution characteristic poison test values are 0, 1, 2, and 3, respectively, the poison test value of the shelling file is 0+1+2+3 ═ 6, and the expected virus test value is [5, + ∞ ], and the poison test value of the shelling file is within the virus test value range, so that it can be determined that the program contains viruses. The preset virus experience value is obtained by analyzing a large number of virus samples and safety samples, and is used as a partition to maximally distinguish the virus reporting experience value of the virus sample from the virus reporting experience value of the safety sample.
On this basis, it may further be determined whether the shelled file is a security program or a suspicious program, specifically, the preset experience value of the security program and/or the preset experience value of the suspicious program may be defined, and the specific step B2 may be: and carrying out safety detection on the shelled file according to the relationship between the virus reporting detection value of the shelled file and the preset virus experience value, the preset safety experience value and the preset suspicious experience value.
In step B2, it is determined whether the shelled file is a virus program, a security program, or a suspicious program according to the empirical value interval in which the virus-reporting detection value of the shelled file is located.
In addition, if the file is a suspicious program, the file can be reported to a virus management system, so that whether the file with the shell is infected or not is judged by the virus management system, and each preset empirical value is adaptively adjusted according to the judgment result of the virus management system, so that the accuracy and the efficiency of virus detection are improved.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides an apparatus for verifying a decapsulated file, as shown in fig. 3, where the apparatus includes:
the shelling module 31 is configured to execute the shelled file in the virtual machine, and obtain a shelled file corresponding to the shelled file from an execution memory of the virtual machine after the execution is finished;
the character string extraction module 32 is configured to perform character string extraction on the shelled file and the shelled file, and count the number of character strings of the shelled file and the number of character strings of the shelled file;
a dilation ratio calculation module 33, configured to calculate a dilation ratio of a character string of an unshelled file according to the number of character strings of the shelled file and the number of character strings of the unshelled file;
and the shelling analysis module 34 is used for determining that the shelling of the shelled file is successful if the character string expansion ratio is greater than or equal to a preset character string expansion threshold value.
In a specific application scenario, as shown in fig. 4, the shelling module 34 specifically includes:
an analyzing unit 341, configured to calculate a file size increment of the shell file according to the file size of the shell file and the file size of the file with the shell if the string expansion ratio is greater than or equal to a preset shell success threshold;
the determining unit 342 is configured to determine that the shelling of the shelled file is successful if the file size increment is greater than or equal to a preset file size increment threshold.
Specifically, the string expansion ratio of the shelling file is (number of strings of the shelling file-number of strings of the shelled file)/number of strings of the shelled file.
In a specific application scenario, as shown in fig. 4, the shelling module 31 specifically includes:
a memory allocation unit 311, configured to allocate, by using a memory management module of the virtual machine, a corresponding execution memory block for the shelled file in the virtual machine, so that when the shelled file is executed in the virtual machine, a shelled file corresponding to the target program is released in the execution memory block by using a shelled program included in a shell of the shelled file;
a memory obtaining unit 312, configured to obtain an execution memory block allocated by the memory management module for the shelled file;
the shelling unit 313 is configured to backup the execution memory block after the execution of the shelled file is finished, and extract the shelled file from the backup file of the execution memory block.
In a specific application scenario, as shown in fig. 4, the apparatus further includes:
the first shelled file determining module 35 is configured to, before executing the shelled file in the virtual machine, screen the shelled file from the sample file according to a preset compressed shell feature, where a shell type of the shelled file includes a compressed shell.
In a specific application scenario, as shown in fig. 4, the apparatus further includes:
the second shelled file determining module 36 is configured to, if the string expansion ratio is smaller than the preset string expansion threshold or the string expansion ratio is smaller than the preset successful shelling threshold, execute the shelled file again in the virtual machine, and obtain a new shelled file corresponding to the shelled file from the execution memory of the virtual machine after the execution is finished.
In a specific application scenario, as shown in fig. 4, the apparatus further includes:
and a reporting module 37, configured to report the shelled file and the execution log corresponding to the shelled file to a shelling management center if the execution frequency of the shelled file in the virtual machine exceeds a preset execution frequency threshold.
The device can also realize the detection of whether the shelled file contains the virus, and specifically, after determining that the shelled file is successfully shelled, the device can also realize the following steps:
step 1, executing a shelling file in a virtual machine;
step 2, recording a stub function in the virtual machine called when the shelling file is executed;
step 3, analyzing the called stub function to obtain the execution characteristics of the shelling file;
and 4, judging whether the file with the shell contains the virus or not according to the execution characteristics of the file with the shell.
In the steps 1 to 4, firstly, the virtual machine loads and runs the shelling file corresponding to the shelled file, and records the calling stub function of the shelling file in the execution process of the shelling file; secondly, analyzing the execution characteristics of the shell file aiming at the recorded stub function called by the shell file, wherein the process of analyzing the execution characteristics is equivalent to translating the sequence of calling the stub function into corresponding characteristics, for example, translating a series of stub function execution codes into a flow description form, and using the execution characteristics of the shell file as the basis of virus detection; and finally, analyzing whether the program is a virus program or not through the execution characteristics of the shelling file so as to realize virus detection based on the virtual machine.
In step 4 of the embodiment of the present application, the following several implementations of virus detection may be included:
the implementation mode A is as follows:
and step A, if the execution characteristics of the unshelled file hit the malicious execution characteristics contained in the preset execution characteristic blacklist, judging that the unshelled file contains viruses.
Specifically, step a may further include the following steps:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, inquiring whether the execution characteristics of the shelling file belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step A3, if the execution characteristics of the uncoated file belong to malicious execution characteristics, determining that the shelled file contains virus.
Step A4, if the execution characteristics of the shelled file do not belong to malicious execution characteristics, querying whether the execution characteristics of the shelled file belong to security execution characteristics contained in a preset execution characteristic white list;
step A5, if the execution feature of the shell file belongs to the security execution feature, determining that the shell file does not contain virus.
Step A6, if the execution characteristics of the shelling file do not belong to the safe execution characteristics, the shelling file is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so that the virus management system is utilized to analyze whether the suspicious program contains viruses.
In the step A, whether the file with the shell is infected or not is judged by utilizing a preset execution characteristic list, the preset execution characteristic list comprises a black list and a white list, malicious execution characteristics corresponding to the virus program are stored in the black list in advance, and safety execution characteristics corresponding to the safety program are stored in the white list in advance. And if the execution characteristics of the shelled files do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
The implementation mode B is as follows:
step B1, calculating a virus reporting detection value of the shelled file according to the execution characteristics of the shelled file and a preset execution characteristic virus reporting experience value, wherein the virus reporting detection value of the shelled file is the sum of preset execution characteristic virus reporting experience values corresponding to the execution characteristics of the shelled file;
and step B2, determining whether the file with the shell contains the virus according to the relation between the virus report detection value of the file with the shell and a preset virus experience value.
As an example, assuming that the execution characteristics of the shelling file include A, B, C, D, and the expected execution characteristic poison test values are 0, 1, 2, and 3, respectively, the poison test value of the shelling file is 0+1+2+3 ═ 6, and the expected virus test value is [5, + ∞ ], and the poison test value of the shelling file is within the virus test value range, so that it can be determined that the program contains viruses. The preset virus experience value is obtained by analyzing a large number of virus samples and safety samples, and is used as a partition to maximally distinguish the virus reporting experience value of the virus sample from the virus reporting experience value of the safety sample.
On this basis, it may further be determined whether the shelled file is a security program or a suspicious program, specifically, the preset experience value of the security program and/or the preset experience value of the suspicious program may be defined, and the specific step B2 may be: and carrying out safety detection on the shelled file according to the relationship between the virus reporting detection value of the shelled file and the preset virus experience value, the preset safety experience value and the preset suspicious experience value.
In step B2, it is determined whether the shelled file is a virus program, a security program, or a suspicious program according to the empirical value interval in which the virus-reporting detection value of the shelled file is located.
In addition, if the file is a suspicious program, the file can be reported to a virus management system, so that whether the file with the shell is infected or not is judged by the virus management system, and each preset empirical value is adaptively adjusted according to the judgment result of the virus management system, so that the accuracy and the efficiency of virus detection are improved.
It should be noted that other corresponding descriptions of the functional units related to the verification apparatus for an uncoated file provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the above method shown in fig. 1 and fig. 2, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for verifying a de-shelled file shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the method for verifying a shelled file as described above with reference to fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can implement, through hardware, character string extraction on a shelled file and a shelled file obtained by a virtual machine by using a character string extraction tool, and count the number of character strings of the shelled file and the number of character strings of the shelled file, and then calculate a character string expansion ratio of the shelled file, so as to determine whether the file is a file that is successfully shelled in combination with a preset character string expansion threshold. Whether shelling of the sample that this application can be effectual quick judgement virtual machine execution succeeds, helps the quick screening of virtual machine developer and sample operation personnel not to shell the file, and the latent problem of in time analysis virtual machine promotes its quick discovery problem.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (16)
1. A method for validating a naked file, comprising:
executing a shell-contained file in a virtual machine, and acquiring a shell removal file corresponding to the shell-contained file from an execution memory of the virtual machine after the execution is finished;
extracting character strings of the shelled files and the shelled files respectively, and counting the number of the character strings of the shelled files and the number of the character strings of the shelled files;
calculating the character string expansion ratio of the unshelled file according to the number of the character strings of the shelled file and the number of the character strings of the unshelled file;
and if the character string expansion ratio is larger than or equal to a preset character string expansion threshold value, determining that the shelling of the shelled file is successful.
2. The method according to claim 1, wherein the determining that the shelling of the shelled file is successful if the string expansion ratio is greater than or equal to a preset shelling success threshold comprises:
if the expansion ratio of the character string is larger than or equal to a preset shelling success threshold value, calculating a file size increment of the shelled file according to the file size of the shelled file and the file size of the shelled file;
and if the file size increment is larger than or equal to a preset file size increment threshold value, determining that the shelling of the file with the shell is successful.
3. The method according to claim 1 or 2, wherein the string expansion ratio of the dehulled file is (number of strings of the dehulled file-number of strings of the shelled file)/number of strings of the shelled file.
4. The method according to claim 2, wherein the executing the shelled file in the virtual machine and obtaining the shelled file corresponding to the shelled file from an execution memory of the virtual machine after the execution is completed specifically comprises:
allocating, by using a memory management module of the virtual machine, a corresponding execution memory block to the shelled file in the virtual machine, so that when the shelled file is executed in the virtual machine, a shell removal program included in a shell of the shelled file is used to release the shell removal file corresponding to the shelled file in the execution memory block;
acquiring the execution memory blocks distributed for the shell files by the memory management module;
and after the execution of the file with the shell is finished, backing up the execution memory block, and extracting the shell file from the backup file of the execution memory block.
5. The method of claim 1, wherein prior to executing the shelled file in the virtual machine, the method further comprises:
and screening the shelled files from the sample files according to the preset compressed shell characteristics, wherein the shell types of the shelled files comprise compressed shells.
6. The method of claim 2, further comprising:
and if the character string expansion ratio is smaller than the preset character string expansion threshold or the character string expansion ratio is smaller than the preset shelling success threshold, executing the shelled file in the virtual machine again, and acquiring a new shelled file corresponding to the shelled file from an execution memory of the virtual machine after the execution is finished.
7. The method of claim 6, further comprising:
and if the execution times of the shelled file in the virtual machine exceed a preset execution time threshold, reporting the shelled file and an execution log corresponding to the shelled file to a shelling management center.
8. An apparatus for validating a decapsulated file, comprising:
the shelling module is used for executing the shelled files in the virtual machine and acquiring the shelled files corresponding to the shelled files from the execution memory of the virtual machine after the execution is finished;
the character string extraction module is used for respectively extracting character strings of the shelled files and counting the number of the character strings of the shelled files and the number of the character strings of the shelled files;
the expansion ratio calculation module is used for calculating the expansion ratio of the character strings of the unshelled file according to the number of the character strings of the shelled file and the number of the character strings of the unshelled file;
and the shelling analysis module is used for determining that the shelling of the shelled file is successful if the character string expansion ratio is greater than or equal to a preset character string expansion threshold value.
9. The apparatus according to claim 8, wherein the shelling module comprises:
the analysis unit is used for calculating the file size increment of the unshelled file according to the file size of the unshelled file and the file size of the shelled file if the expansion ratio of the character string is greater than or equal to a preset unshelling success threshold;
and the determining unit is used for determining that the shelling of the file with the shell is successful if the size increment of the file is larger than or equal to a preset file size increment threshold value.
10. The apparatus according to claim 8 or 9, wherein the string expansion ratio of the dehulled file is (number of strings of the dehulled file-number of strings of the shelled file)/number of strings of the shelled file.
11. The apparatus according to claim 9, wherein the shelling module comprises:
a memory allocation unit, configured to allocate, by using a memory management module of the virtual machine, a corresponding execution memory block for the shelled file in the virtual machine, so that when the shelled file is executed in the virtual machine, a shell removal program included in a shell of the shelled file is used to release the shell removal file corresponding to the shelled file in the execution memory block;
a memory obtaining unit, configured to obtain the execution memory block allocated by the memory management module for the shelled file;
and the shelling unit is used for backing up the execution memory block after the execution of the file with the shell is finished, and extracting the shelling file from the backup file of the execution memory block.
12. The apparatus of claim 8, further comprising:
the first shelled file determining module is used for screening the shelled files from the sample files according to preset compressed shell characteristics before executing the shelled files in the virtual machine, wherein the shell types of the shelled files comprise compressed shells.
13. The apparatus of claim 9, further comprising:
and a second shelled file determining module, configured to execute the shelled file again in the virtual machine if the string expansion ratio is smaller than the preset string expansion threshold or the string expansion ratio is smaller than the preset successful shelling threshold, and obtain a new shelled file corresponding to the shelled file from an execution memory of the virtual machine after the execution is finished.
14. The apparatus of claim 13, further comprising:
and the reporting module is used for reporting the shelled file and the execution log corresponding to the shelled file to a shelling management center if the execution times of the shelled file in the virtual machine exceed a preset execution time threshold.
15. A storage medium on which a computer program is stored, the program implementing the method of verifying a dehulled file according to any one of claims 1 to 7 when executed by a processor.
16. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method of validating a dehulled file according to any one of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910943731.2A CN112580034B (en) | 2019-09-30 | 2019-09-30 | Method and device for verifying unshelled file, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910943731.2A CN112580034B (en) | 2019-09-30 | 2019-09-30 | Method and device for verifying unshelled file, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580034A CN112580034A (en) | 2021-03-30 |
| CN112580034B true CN112580034B (en) | 2022-04-22 |
Family
ID=75116840
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910943731.2A Active CN112580034B (en) | 2019-09-30 | 2019-09-30 | Method and device for verifying unshelled file, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580034B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| KR20130077184A (en) * | 2011-12-29 | 2013-07-09 | 주식회사 시큐아이 | Homepage infected with a malware detecting device and method |
| CN106599686A (en) * | 2016-10-12 | 2017-04-26 | 四川大学 | Malware clustering method based on TLSH character representation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9898605B2 (en) * | 2015-12-24 | 2018-02-20 | Mcafee, Llc | Monitoring executed script for zero-day attack of malware |
-
2019
- 2019-09-30 CN CN201910943731.2A patent/CN112580034B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20130077184A (en) * | 2011-12-29 | 2013-07-09 | 주식회사 시큐아이 | Homepage infected with a malware detecting device and method |
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN106599686A (en) * | 2016-10-12 | 2017-04-26 | 四川大学 | Malware clustering method based on TLSH character representation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580034A (en) | 2021-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102047782B1 (en) | Method and apparatus for recognizing cyber threats using correlational analytics | |
| US9348998B2 (en) | System and methods for detecting harmful files of different formats in virtual environments | |
| JP6711000B2 (en) | Information processing apparatus, virus detection method, and program | |
| CN109600387B (en) | Attack event tracing method and device, storage medium and computer equipment | |
| CN112395616B (en) | Vulnerability processing method and device and computer equipment | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN112395597A (en) | Method and device for detecting website application vulnerability attack and storage medium | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN112580034B (en) | Method and device for verifying unshelled file, storage medium and computer equipment | |
| CN114329452A (en) | Abnormal behavior detection method and device and related equipment | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN112580041B (en) | Malicious program detection method and device, storage medium and computer equipment | |
| CN109802955B (en) | Authority control method and device, storage medium and computer equipment | |
| CN112149115A (en) | Method and device for updating virus library, electronic device and storage medium | |
| CN115146262B (en) | Linux system kernel vulnerability patch relieving method and system based on eBPF technology | |
| CN112580035B (en) | Program shelling method and device, storage medium and computer equipment | |
| CN112090087B (en) | Game plug-in detection method and device, storage medium and computer equipment | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN112087414A (en) | Detection method and device for mining trojans | |
| CN112580025A (en) | Virtual machine-based poison reporting method and device, storage medium and computer equipment | |
| CN109726548B (en) | Application program behavior processing method, server, system and storage medium | |
| CN114925365A (en) | File processing method and device, electronic equipment and storage medium | |
| CN112395637A (en) | Database protection method and device, storage medium and computer equipment | |
| CN112579249A (en) | Multi-CPU virtual machine operation method and device, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |