CN113868648A - Automatic shelling engine implementation method for malicious files - Google Patents

Automatic shelling engine implementation method for malicious files Download PDF

Info

Publication number
CN113868648A
CN113868648A CN202111052133.XA CN202111052133A CN113868648A CN 113868648 A CN113868648 A CN 113868648A CN 202111052133 A CN202111052133 A CN 202111052133A CN 113868648 A CN113868648 A CN 113868648A
Authority
CN
China
Prior art keywords
module
file
shelling
shell
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111052133.XA
Other languages
Chinese (zh)
Inventor
祝远鉴
姜路遥
廖珩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Fenghuo Tiandi Communication Technology Co ltd
Original Assignee
Nanjing Fenghuo Tiandi Communication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Fenghuo Tiandi Communication Technology Co ltd filed Critical Nanjing Fenghuo Tiandi Communication Technology Co ltd
Priority to CN202111052133.XA priority Critical patent/CN113868648A/en
Publication of CN113868648A publication Critical patent/CN113868648A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method for realizing an automatic shelling engine for malicious files, which realizes the automatic shelling engine by loading a cloud rule base mode and supports the characteristic of high-efficiency operation speed for shelling. The automatic shelling engine disclosed by the invention not only can rapidly shell and repair shelled files, but also can assist security research engineers to rapidly extract shelled malicious samples and flow characteristics, and support shelling analysis on other malicious samples in a third-party sand table environment, so that network security flow sensing is improved to a certain extent.

Description

Automatic shelling engine implementation method for malicious files
Technical Field
The invention mainly relates to an executable file automatic shelling engine and method after flow restoration.
Background
In global network security traffic awareness, a large number of malicious programs (such as viruses, trojans, worms and the like) generally use some advanced software protection technologies to avoid scanning and killing of antivirus software after traffic restoration, a complex program shell adding technology is a typical representative of the technology, and according to statistics, the malicious programs currently subjected to shell adding are malicious
The proportion of code is over 80%, and the development trend of malicious code brings huge challenges to detection tools. Therefore, how to restore the program content, obtaining the normal execution sequence of the program is the key point of the research of the malicious code detection technology. There are two main ways of dehulling analysis at present: one is to use manual shelling to remove the shell,
the other is directed shelling using a dedicated shelling script. Both of these approaches have significant drawbacks, such as lack of versatility, difficulty in keeping up with the advances in shelling techniques and the speed of the shelling code iteration, high manpower and material resources consumption, etc.
At present, the automatic shelling technology is still in a virtual machine shelling mode, which is a traditional technology, supports most of shelling programs, needs to simulate a large number of CPU instructions and operation logic modes due to the problem of an X86 simulator, has extremely poor recognition efficiency on the calling of a large number of floating point operations and function internal operations and classes while running shell codes, is low in shelling speed and accuracy, has extremely heavy load capacity when encountering large-scale flow restoration files, has high requirements on a system, and can iterate and have extremely high cross-platform cost.
In addition, in order to remove shells without using a virtual machine shelling technology and reduce time cost, many security manufacturers use a cloud MD5 mode to push the shells to the local for identification, and report a shell adding program to prompt a user as long as the shells MD5 are found to be similar, so that the accuracy is very low, and certain false report cost is increased.
Therefore, an automatic shelling engine which is high in efficiency, high in accuracy, compatible with various platforms and capable of reducing cost is urgently needed, so that the existing automatic shelling engine can not only finish shell recognition rate before shelling, but also can efficiently and quickly position decryption algorithm parts of unknown shells and known shells so as to achieve the purpose of quick decompression, and better assist safety research engineers in quickly identifying malicious samples and extracting flow.
Disclosure of Invention
Aiming at the defects of the traditional virtual machine shelling technology, the invention discloses an engine which realizes automatic shelling in a cloud rule base loading mode and supports the characteristic of high efficiency and high running speed for shelling, and can carry out automatic flow analysis and characteristic matching on binary programs of known shells and unknown shells and then carry out shelling repair, so that relevant safety research engineers are assisted to extract and analyze malicious sample flow during static analysis.
In order to solve the technical problems, the invention adopts the following technical scheme:
an automatic shelling engine implementation method for malicious files comprises the following steps:
step S1, loading a cloud end shell rule base;
step S2, reading the binary stream of the PE file to a memory and executing;
step S3, the disassembling instruction analysis module identifies the specific shell characteristics and the shell decompressing position;
step S4, positioning the specific shell characteristic decryption code position, setting a breakpoint and decrypting the file code before shell adding;
step S5, applying for a memory, and copying the decrypted code segment to a new memory space;
step S6, repairing the PE code segment in the new memory space;
in step S7, the PE code segment in the new memory space is saved to the local file by the file dump module dump in a mirror image manner.
Further, the step S2 specifically includes:
firstly, reading a binary stream of a PE file by a simulation PE loader and mapping the binary stream to an internal memory;
then, positioning the target block information of the PE file by judging the format structure characteristics of the PE header file;
and traversing the import/export table, reading the tls resource relocation information, and repairing through the PE file inner layer repair module and the acquired block information.
Further, the specific content of step S3 includes:
firstly, resolving the current opcode code of the memory into the corresponding X86 or X64 assembly code by a disassembly instruction resolving module
Then, the general shell identification and decryption data flow algorithm module is used for dynamically identifying the specific shell characteristics and the shell decompression position
Further, in step S4
Firstly, identifying the codes analyzed by the disassembling instruction analysis module opcode of the step S3 by a universal shell identification and decryption data stream algorithm module;
then, setting a software breakpoint or a hardware execution breakpoint mode, and setting a breakpoint for a code position pointed by the opcode algorithm characteristic EIP of the target;
and calling an OEP distributed identification module to perform OEP entrance distributed multi-point matching before shell adding on the decrypted code segment, or tracking in a path searching mode to obtain an OEP warehousing code of the real program. In the process, the actual OEP in the decrypted code segment is found equivalently, matching is performed through multimode characteristics, and the relationship of finding the actual original program entry in the actual decrypted PE file code segment is realized through characteristic matching.
Further, in step S6, the IAT repair module is called to identify the API function table called by the currently decapsulated target program and repair the API function in the original input table, and then the TLS relocation repair module is called to dynamically repair the base address relocation TLS after decapsulation, so as to ensure normal operation of the program after decapsulation.
Further, in step S7, the file dump module includes a PE file dump module, a segment rebuilding module, an inner capture mirror module, and a new OEP calculation module, after the IAT repair module and the tls relocation repair module are completed, the memory capture mirror module is called to capture the full memory from the mapping base address entry to the resource node in the PE memory, the PE file dump module is called to dump to the disk, then the segment rebuilding module is called to dump the current, the dump file adds a new node to store the repaired IAT table code, and the new OEP calculation module is called to perform the virtual relative address to the current mapping base address, and the obtained new OEP entry address is filled into the local dump file, so as to complete all the shelling operations, and generate a new shelled binary PE executable file
Has the advantages that: compared with the prior art, the method is fast in updating based on the cloud rule base, the latest shell rule base is fast pushed to the front end for automatic shell removal by means of the learning capacity of the back end machine, the shell removal capacity is realized in a virtual machine mode without virtual operation, the CPU switching time is saved, system resources are not occupied, the method is suitable for a platform with an X86/X64 framework, the transportability is high, secondary development can be carried out under Linux, and the method can be used in a cross-platform mode. .
The invention is suitable for a quick, universal and effective shelling method for a shelling program for restoring the malicious sample from the flow in network security. The static analysis and flow extraction work of safety research engineers on malicious samples is simplified.
Drawings
FIG. 1 is a logic flow diagram of an automated shelling engine for malicious files according to the present invention;
FIG. 2 is a functional block diagram of an automated shelling engine for malicious files according to the present invention;
FIG. 3 is a binary malicious sample file extracted in an embodiment of the present invention
FIG. 4 is a cloud shell feature library loaded in an embodiment of the invention
FIG. 5 is a diagram illustrating a read PE file according to an embodiment of the present invention
FIG. 6 illustrates shell features identified by disassembly according to an embodiment of the present invention
FIG. 7 is a shell decryption formal code location diagram according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a breakpoint of a code interruption position set by an embodiment of the present invention.
FIG. 9 is a block diagram illustrating a repaired PE code segment for a new memory image in an embodiment of the present invention
Detailed Description
The invention will be further elucidated with reference to the following description of an embodiment in conjunction with the accompanying drawing. It is to be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention, which is to be given the full breadth of the appended claims and any and all equivalent modifications thereof which may occur to those skilled in the art upon reading the present specification.
The invention relates to an automatic shelling engine implementation method for malicious files, which identifies various PE files after shells are added, and adopts a multi-point memory dynamic scanning, simulated PE loading, simulated breakpoints, a high-precision disassembling identification mechanism and a memory capture mirror image technology to quickly position shell characteristics and quickly shell and repair the PE files. The automatic shelling engine can rapidly shell and restore shelled files, can assist security research engineers to rapidly extract malicious samples and flow characteristics after shelling and support third-party sand table environments to conduct shelling analysis on other malicious samples, and brings certain capacity improvement to network security flow sensing. The automatic shelling engine implementation and method for malicious files of the present invention includes the following modules, as shown in fig. 2:
the simulation PE file loader module: the method comprises the steps of mapping a file to a memory module, checking a PE file format module, traversing a PE file export table and import table module, reading a tls resource relocation information module and a PE file memory repair module, wherein the PE file after the mapping file is loaded to the memory module and flow reduction calls the traversal PE file table and import module and the tls resource relocation information reading module after calling the PE file format detection module, then repairing all the obtained block information through the PE file memory repair module, and then calling an X86/X64 disassembling instruction analysis module to perform opcode analysis on the file.
The X86/X64 disassembling instruction parsing module: the method comprises the steps of identifying a read and mapped stream opcode of a file in a memory by a disassembling method, analyzing the opcode codes one by one and converting the opcode codes into corresponding assembly codes of X86 and X64, arranging the assembly codes by using a two-way linked list storage mode and a multi-bit array mode, and identifying control jump statements, floating point operation, logical AND/OR, condition judgment, a multi-dimensional addressing mode, a disordered binary byte code, a disordered flower code and an expanded random code quickly and accurately.
The general shell identification and decryption data flow algorithm module functions comprise: the software/hardware breakpoint setting module is called to set a breakpoint for a code position pointed by opcode characteristic EIP of a target and enable a program to run to a breakpoint selected position, and then the OEP distributed identification module is called to track an OEP entry distributed multipoint matching and path searching mode before shell adding is carried out on a decrypted code segment to the OEP entry code of a real program.
The PE file repair module comprises: an IAT repairing module and a TLS repositioning repairing module, wherein after the OEP distributed identification module identifies the decrypted OEP codes, the IAT repairing module is called to identify an API function table called by the current target program after shelling and repair the API function in the original input table, and then the TLS repositioning repairing module is called to dynamically repair the base address repositioning TLS position after shelling, so that the program is ensured to normally run after shelling.
The file dump module comprises the following components: after the IAT repair module and the tls relocation repair module are completed, the memory capture mirror image module is called to capture the position from the mapping base address entry to the resource node in the PE memory, then the PE file dump module is called to transfer the mapping base address entry to the resource node to the disk, then the section reconstruction module is called to add a new node to the currently transferred dump file to store the repaired IAT table code, then the new OEP calculation module is called to fill the current mapping base address + the virtual relative address into the local dump file after being changed into the new OEP entry address, all the unshelling operations are completed, and a new unshelled binary PE executable file is generated.
As shown in fig. 1, the logic flow of the present embodiment includes:
the first step is as follows: loading simulation PE file loader module
The second step is that: load X86/X64 disassembling instruction parsing module
The third step: load general shell identification and decrypt data flow algorithm module
The fourth step: loading PE file repair module
The fifth step: loading file dump module
Firstly, operating an automatic shelling engine, loading and loading a cloud end shell rule base into a memory, then reading a PE file from a target file to be shelled into the memory and operating the PE file, analyzing a binary opcode instruction of the PE file operated in the current memory by an X86/X64 disassembling instruction analyzing module, analyzing the binary opcode instruction into a corresponding assembling instruction, identifying the relation between the logic and the condition of the current instruction, identifying and decrypting a decompression algorithm and a shell decryption algorithm in the current disassembling by a universal shell identifying and decrypting data flow algorithm module, locating and identifying the identifying condition according to the cloud end shell rule base, if the characteristic matched with the rule base is found, setting a software breakpoint to interrupt at the position of an EIP pointer passing the current matching, otherwise, using a universal only algorithm in the universal shell identifying engine to locate, if the breakpoint is found, and after the program is interrupted at the current EIP, and repairing the OEP position which is extracted out after the current interruption by the PE file repairing module, and then locally saving the repaired file after the current shelling into a new binary file after shelling and running by the file dump module.
The X86/X64 disassembler instruction parsing comprises the following sub-modules: the system comprises a virtualization code fragment execution module, a CPU instruction analysis module and an invisible breakpoint setting module. The virtualized code fragment execution module mainly comprises binary opcode fragments which are virtualized out of real CPU execution code fragments, the components comprise binary byte codes, all control flows, logic operation condition statements, polynomial floating point operations including MMX multimedia operation instructions and 8087 oblique processing instructions and assembly codes which are formed by virtualization, flower removing instructions, SMC codes, logic distortion expansion code reduction and other operations are carried out on the current assembly codes, the CPU instruction analysis module comprises a plurality of binary code conversion conditions and a large number of opcode codes for identification, the invisible breakpoint setting module comprises int3 software breakpoints and debugging registers DR0-DR3 and respectively bypasses shell codes of code segment CRC check in a shell, and therefore the purpose of interruption under different shell scenes is achieved.
The simulation PE file loader module: the method comprises the steps of mapping a file to a memory module, checking a PE file format module, traversing a PE file export table and import table module, reading a tls resource relocation information module and a PE file memory repair module, wherein the PE file after the mapping file is loaded to the memory module and flow reduction calls the traversal PE file table and import module and the tls resource relocation information reading module after calling the PE file format detection module, then repairing all the obtained block information through the PE file memory repair module, and then calling an X86/X64 disassembling instruction analysis module to perform opcode analysis on the file.
The general shell identification and decryption data flow algorithm module functions comprise: the software/hardware breakpoint setting module is called to set a breakpoint for a code position pointed by opcode characteristic EIP of a target and enable a program to run to a breakpoint selected position, and then the OEP distributed identification module is called to track an OEP entry distributed multipoint matching and path searching mode before shell adding is carried out on a decrypted code segment to the OEP entry code of a real program.
The PE file repair module comprises: an IAT repairing module and a TLS repositioning repairing module, wherein after the OEP distributed identification module identifies the decrypted OEP codes, the IAT repairing module is called to identify an API function table called by the current target program after shelling and repair the API function in the original input table, and then the TLS repositioning repairing module is called to dynamically repair the base address repositioning TLS position after shelling, so that the program is ensured to normally run after shelling.
The file dump module comprises the following components: after the IAT repair module and the tls relocation repair module are completed, the memory capture mirror image module is called to capture the position from the mapping base address entry to the resource node in the PE memory, then the PE file dump module is called to transfer the mapping base address entry to the resource node to the disk, then the section reconstruction module is called to add a new node to the currently transferred dump file to store the repaired IAT table code, then the new OEP calculation module is called to fill the current mapping base address + the virtual relative address into the local dump file after being changed into the new OEP entry address, all the unshelling operations are completed, and a new unshelled binary PE executable file is generated.
The following is illustrated by specific examples: malicious file automated shelling engine shelling example for Themida2.1.8
Sample background: malicious automatic sample for wind-controlled pulling of wool by SDL
For analytical purposes: carrying out flow characteristic extraction and behavior analysis on the wind control sample after shelling
Sample function: bypassing captchas by modifying hardware information for a given process
Firstly, analyzing according to the flow, and extracting a binary malicious sample file as shown in fig. 3;
detailed step 1: the cloud shell feature library is loaded as follows, as shown in FIG. 4
Detailed step 2: read the PE file into the memory and execute it, as shown in FIG. 5
Detailed step 3: disassembling the identification Shell features, as shown in FIG. 6
The memory signature defined as the Themida shell head identifies a 0x35 length signature of the shell head:
68 FF 6A 87 13 E8 FB 6F A6 FF 48 F7 D8 0F C8 3B CD 35 2C 62 B7 51 F9 F7 C5 9D 30 4E 0A F7 D8 33
D8 F9 E9 E0 BE F0 FF 0F C8 35 98 68 E7 74 2D 4B 46 17 00 33 D8
detailed step 4: the positioning shell decrypts the real code position: located by 8a 170F CF feature. As shown in fig. 7
Detailed step 5: setting breakpoint to decipher out pre-shell code
The OEP features by searching for the pre-shelled code are as follows: 33 FF 897D E433C 08B 5D 083B DF 0F 95C 03B C7 and set break points to let the code break at that location. As shown in fig. 8.
Detailed step 6: and applying the memory to copy the decrypted codes to a new memory. The main purpose is to make the decrypted IAT table copy a new memory completely, and prepare for the dump file reconstruction.
Detailed step 7: the new memory mirror PE code segment begins to be repaired. As shown in FIG. 9, in the present case, there are several invalid IAT table functions that cannot be identified, so the API position pointed by the IAT address can be searched for and interrupted by the disassembling engine
Detailed step 8: and saving the new memory image of the dump to a local file.
After the above 8 steps are completed, the TMD shell can be completely removed and the analysis can be performed without hindrance using the IDA analysis code.
The chinese interpretation of the english abbreviations referred to herein is as follows:
opcode instruction sequence, operation code, for example: push ebp/push rbp then opcode is 0x 55.
EIP, the instruction pointer registers referred to collectively at X86/X64 correspond to the location of the current code to be executed by the CPU. For example: 16-bit assembly:
push bp
mov eb,sp
mov ax,0x16
add ax,0
mov al,0x8- - - > eip (location pointed to)
mul ax,al
Win32/win64 executable file structures that may be recognized by the operating system.
And dump, namely capturing a piece of paged memory from the memory mirror image and storing the paged memory into the local.
The system exports standard interface functions which can be called by the application program under the API windows/linux.
the thread local storage (which can be defined as a static variable in multiple threads) corresponding to the tls current process is respectively available:
TlsAlloc allocates thread local storage space;
TlsFree releases the thread local memory space;
TlsGetValue obtains the value in the thread local storage space;
TlsSetValue sets the value of the thread's local memory space.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (6)

1. An automatic shelling engine implementation method for malicious files is characterized by comprising the following steps:
step S1, loading a cloud end shell rule base;
step S2, reading the binary stream of the PE file to a memory and executing;
step S3, the disassembling instruction analysis module identifies the specific shell characteristics and the shell decompressing position;
step S4, positioning the specific shell characteristic decryption code position, setting a breakpoint and decrypting the file code before shell adding;
step S5, applying for a memory, and copying the decrypted code segment to a new memory space;
step S6, repairing the PE code segment in the new memory space;
in step S7, the PE code segment in the new memory space is saved to the local file by the file dump module dump in a mirror image manner.
2. The automated shelling engine implementation method for malicious files as recited in claim 1, wherein: the step S2 includes the following steps:
firstly, reading a binary stream of a PE file by a simulation PE loader and mapping the binary stream to an internal memory;
then, positioning the target block information of the PE file by judging the format structure characteristics of the PE header file;
and traversing the import/export table, reading the tls resource relocation information, and repairing through the PE file inner layer repair module and the acquired block information.
3. The automated shelling engine implementation method for malicious files as recited in claim 1, wherein: the specific content of step S3 includes:
firstly, resolving the current opcode code of the memory into the corresponding X86 or X64 assembly code by a disassembly instruction resolving module
And then, dynamically identifying the specific shell characteristics and the shell decompression position through a universal shell identification and decryption data stream algorithm module.
4. The automated shelling engine implementation method for malicious files as recited in claim 1, wherein: in step S4
Firstly, identifying the codes analyzed by the disassembling instruction analysis module opcode of the step S3 by a universal shell identification and decryption data stream algorithm module;
then, setting a software breakpoint or a hardware execution breakpoint mode, and setting a breakpoint for a code position pointed by the opcode algorithm characteristic EIP of the target;
and calling an OEP distributed identification module to perform OEP entrance distributed multi-point matching before shell adding on the decrypted code segment, or tracking in a path searching mode to obtain an OEP warehousing code of the real program.
5. The automated shelling engine implementation method for malicious files as recited in claim 1, wherein: in step S6, the IAT repair module is called to identify the API function table called by the currently shelled target program and repair the API function in the original input table, and then the TLS relocation repair module is called to dynamically repair the relocated TLS location of the base address after shelling, so as to ensure normal operation of the program after shelling.
6. The automated shelling engine implementation method for malicious files as recited in claim 1, wherein: step S7, the file dump module includes a PE file dump module, a segment rebuilding module, an inner capture mirror module, and a new OEP calculation module, after the IAT repair module and the tls relocation repair module are completed, the memory capture mirror module is called to capture the full memory from the image base address entry in the PE memory to the resource node position, the PE file dump module is called to transfer to the disk, then the segment rebuilding module is called to transfer to the current, the dump file adds a new node for storing the repaired IAT table code, and the new OEP calculation module is called to perform the virtual relative address to the current image base address, and the obtained new OEP entry address is filled into the local dump file, so as to complete all the shelling operations, and generate a new shelled binary PE executable file.
CN202111052133.XA 2021-09-08 2021-09-08 Automatic shelling engine implementation method for malicious files Pending CN113868648A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111052133.XA CN113868648A (en) 2021-09-08 2021-09-08 Automatic shelling engine implementation method for malicious files

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111052133.XA CN113868648A (en) 2021-09-08 2021-09-08 Automatic shelling engine implementation method for malicious files

Publications (1)

Publication Number Publication Date
CN113868648A true CN113868648A (en) 2021-12-31

Family

ID=78995004

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111052133.XA Pending CN113868648A (en) 2021-09-08 2021-09-08 Automatic shelling engine implementation method for malicious files

Country Status (1)

Country Link
CN (1) CN113868648A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114840858A (en) * 2022-05-23 2022-08-02 浙江网商银行股份有限公司 Vulnerability testing method and device
CN115827323A (en) * 2022-12-01 2023-03-21 摩尔线程智能科技(北京)有限责任公司 Method, apparatus and computer readable medium for restoring files
CN115951956A (en) * 2023-03-13 2023-04-11 中汽研软件测评(天津)有限公司 Android dynamic link library shelling method, equipment and medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114840858A (en) * 2022-05-23 2022-08-02 浙江网商银行股份有限公司 Vulnerability testing method and device
CN115827323A (en) * 2022-12-01 2023-03-21 摩尔线程智能科技(北京)有限责任公司 Method, apparatus and computer readable medium for restoring files
CN115827323B (en) * 2022-12-01 2024-02-02 摩尔线程智能科技(北京)有限责任公司 Method, apparatus and computer readable medium for restoring files
CN115951956A (en) * 2023-03-13 2023-04-11 中汽研软件测评(天津)有限公司 Android dynamic link library shelling method, equipment and medium
CN115951956B (en) * 2023-03-13 2023-06-06 中汽研软件测评(天津)有限公司 Android dynamic link library unshelling method, equipment and medium

Similar Documents

Publication Publication Date Title
CN113868648A (en) Automatic shelling engine implementation method for malicious files
Kawakoya et al. Memory behavior-based automatic malware unpacking in stealth debugging environment
WO2015101097A1 (en) Method and device for feature extraction
US20080289042A1 (en) Method for Identifying Unknown Virus and Deleting It
Kalysch et al. VMAttack: deobfuscating virtualization-based packed binaries
US20080222215A1 (en) Method for Deleting Virus Program and Method to Get Back the Data Destroyed by the Virus
CN107291485B (en) Dynamic link library reinforcing method, operation method, reinforcing device and safety system
CN105550581A (en) Malicious code detection method and device
CN113709174B (en) Network vulnerability heat reappearance and repair method for power monitoring system
CN107368739B (en) Kernel drive monitoring method and device
CN101458630B (en) Self-modifying code identification method based on hardware emulator
CN115062309A (en) Vulnerability mining method based on equipment firmware simulation under novel power system and storage medium
CN113935041A (en) Vulnerability detection system and method for real-time operating system equipment
CN102831334B (en) Positioning method and positioning system for target address
Wei et al. Arg: Automatic rop chains generation
CN106709287B (en) Method and device for application shelling
Babar et al. Generic unpacking techniques
Garfinkel et al. Sharpening your tools: Updating bulk_extractor for the 2020s
Du et al. Automatic recovery of fine-grained compiler artifacts at the binary level
Jiang et al. CrackDex: Universal and automatic DEX extraction method
Yuan et al. A method for detecting buffer overflow vulnerabilities
JP5952218B2 (en) Information processing apparatus and information processing method
Yao et al. Research on IoT Device Vulnerability Mining Technology Based on Static Preprocessing and Coloring Analysis
KR102421394B1 (en) Apparatus and method for detecting malicious code using tracing based on hardware and software
US11886589B2 (en) Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination