JP2011014034A - Processor and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a processor and a program which are for reducing erroneous detection of detecting behaviors of a normal application or the like as abnormal behaviors.SOLUTION: An execution part 10 executes a first execution file generating another execution file. The execution part 10 executes a second execution file generated in execution of the first execution file, while an attribute different from that of the first execution file is given. Furthermore, the execution part 10 executes the second execution file while the same attribute as the first execution file is given. A determination part 14 compares execution results from execution of the second execution file with execution result in execution of the second execution file.

Description

  The present invention relates to a processing apparatus such as a PC (Personal Computer). The present invention also relates to a program for causing a computer to function as the processing apparatus.

  In recent years, damage caused by viruses called bots that cause a computer infected with a virus to perform malicious operations has been increasing. The bot is composed of malicious code having a function of establishing a communication session with an external command server and downloading a new code, a function of receiving a command for an attack, and a function of attacking according to the command.

  However, an increasing number of bots cannot be detected by pattern-matching anti-virus software. Therefore, as a method to detect bots, a detection method focusing on the act of reading its own code (Read) when the bot infects multiple files on the PC and the act of deleting the code to destroy evidence (Delete) Has been proposed (see Non-Patent Document 1, for example).

Takahiro Sakai, Takumi Hase, Keisuke Takemori, Masakatsu Nishigaki, “A Study on the Potential of Bot Detection by Detecting Self-File READ / DELETE”, Malware Countermeasure Research Human Resource Development Workshop 2008 (MWS2008), Session M6-2, 2008 October

  However, even in the process of a legitimate application installer, it is possible to read and copy its own code (self-replicating) and to erase the code after desired processing (self-erasing). There is a problem that a normal process of a part is erroneously detected as a bot process.

  The present invention has been made in view of the above-described problems, and an object of the present invention is to provide a processing device and a program that can reduce false detection of detecting behavior of a regular application or the like as abnormal behavior. .

  The present inventor has found that the behavior at the time of execution of the executable file differs between the regular application and the bot according to the attribute of the executable file. In other words, a legitimate application executable file (corresponding to the following second executable file) is different from the case where the same attribute as that of the installer executable file (corresponding to the following first executable file) is given. The execution result is the same when the attribute is assigned. On the other hand, the execution file of the bot (corresponding to the second execution file below) has the same attribute as the execution file (corresponding to the first execution file below) that generated the execution file. The execution result differs depending on when the different attribute is given.

  The inventor has also found that the behavior of an executable file differs between a legitimate application and a bot depending on the environment in which the executable file is executed. In other words, the executable file of the legitimate application (corresponding to the second execution file below) is executed in the same environment as the environment before the execution file of the installer (corresponding to the first execution file below) is executed. The execution results are the same when executed in different environments. On the other hand, the execution file of the bot (corresponding to the second execution file below) is the same as the environment before the execution file (corresponding to the first execution file below) that generated the execution file is executed. Execution results differ when executed in different environments and when executed in different environments.

  The present invention has been made in view of the above, and is generated when the first execution file for executing the first execution file for generating another execution file and the first execution file are executed. Second execution means for executing the second executable file in a state in which an attribute different from the attribute of the first executable file is given; and the second executable file with the attribute of the first executable file Third execution means that executes with the same attribute assigned, an execution result when the second execution means executes the second execution file, and the third execution means And a comparison means for comparing the execution result when the executable file is executed.

  The present invention also provides a first execution means for executing a first execution file for generating another execution file, and a second execution file generated when the first execution file is executed. Second execution means for executing in an environment different from the environment before the first execution file is executed; and the second execution file is the same as the environment before the first execution file is executed. Third execution means executed in the environment, execution result when the second execution means executes the second execution file, and when the third execution means executes the second execution file And a comparison means for comparing the execution results of the processing apparatus.

  In the processing apparatus of the present invention, when the second executable file is generated, a file name different from the first executable file is given to the second executable file, and the second execution means , Executing the second executable file in a state where the same file name as the file name given to the second executable file is given when the second executable file is generated, The execution means executes the second execution file with the same file name as that of the first execution file.

  The processing apparatus of the present invention further includes storage means for storing a hosts file that records the correspondence between the IP address and the host name, and the second execution means is configured to generate the second execution file when the second execution file is generated. The second execution file is executed in a state where the changed hosts file is stored in the storage means, and the third execution means has the same contents as before the first execution file is executed. The second executable file is executed in a state where the hosts file having the information is stored in the storage means.

  The processing apparatus of the present invention determines that the first executable file is a legitimate installer when the two execution results match as a result of the comparison by the comparing means, or the second executable file It is further characterized by further comprising determination means for determining that is a legitimate application.

  The processing apparatus according to the present invention also determines that the first execution file or the second execution file is a bot when the two execution results do not match as a result of the comparison by the comparison unit. The apparatus further comprises means.

  The present invention also provides a first execution means for executing a first execution file for generating another execution file, and a second execution file generated when the first execution file is executed. A second execution means for executing in a state in which an attribute different from the attribute of the first executable file is given; and the second executable file is given the same attribute as the attribute of the first executable file Third execution means executed in a state, execution result when the second execution means executes the second execution file, and when the third execution means executes the second execution file This is a program for causing a computer to function as comparison means for comparing the execution results of the above.

  The present invention also provides a first execution means for executing a first execution file for generating another execution file, and a second execution file generated when the first execution file is executed. Second execution means for executing in an environment different from the environment before the first execution file is executed; and the second execution file is the same as the environment before the first execution file is executed. Third execution means executed in the environment, execution result when the second execution means executes the second execution file, and when the third execution means executes the second execution file This is a program for causing a computer to function as comparison means for comparing the execution results of the above.

  According to the present invention, the execution result when the second execution means executes the second execution file is compared with the execution result when the third execution means executes the second execution file. In addition, it is possible to reduce false detection in which the behavior of a legitimate application is detected as abnormal behavior.

It is a block diagram which shows the hardware constitutions of the processing apparatus by one Embodiment of this invention. It is a block diagram which shows the function structure of the processing apparatus by one Embodiment of this invention. It is a reference figure showing operation of a processing unit by one embodiment of the present invention. It is a reference figure showing operation of a processing unit by one embodiment of the present invention. It is a reference figure which shows the behavior of a bot. It is a reference figure which shows the behavior of a bot. It is a reference figure which shows the behavior of a regular application. It is a reference figure which shows the behavior of a bot. It is a reference figure which shows the behavior of a regular application. It is a reference figure which shows the contents of the falsified hosts file.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. First, the difference between bot behavior and legitimate application behavior is explained. FIG. 5 shows the behavior of the bot. If the bot is stored in a folder other than the system folder or the like that is a latent destination, the bot exhibits behavior as an installer and performs self-replication in the hidden folder.

  As shown in FIG. 5, when an execution file (executable file with an extension of .exe or the like) of the bot 500 is executed (started), the bot 500 expands (decompresses and expands) the compressed file and expands it. The execution file of the subsequent bot 510 is stored in a hidden folder (system folder or the like). When the execution file of the bot 510 is executed, the bot 510 performs various attacks to the outside. In some cases, the bot 500 may operate as a downloader. In this case, the execution file of the bot 510 is downloaded via the network and stored in the hidden folder.

  Usually, even if the executable file is the same, the bot behaves differently depending on the attribute of the executable file. This attribute is specifically a file name given to the executable file. As shown in FIG. 6, when the execution file of the bot 600 is executed, the bot 600 expands the compressed file, and stores the expanded execution file of the bot 610 in the hidden folder. At this time, a file name different from the file name of the bot 600 is randomly selected and given to the execution file of the bot 610. Specifically, the executable file name of the bot 610 is a file name similar to that of an existing process such as spooIsv.exe, spoolsvc.exe (similar to spoolsv.exe), Isass.exe, lssas.exe (lsass.exe). It is similar to exe), and firewall.exe, which is a file name that does not exist as an existing process but is likely to exist as an existing process. The bot holds a list in which such file names are described, and it is considered that when an executable file is expanded, an arbitrary file name is selected from the list and given to the executable file.

  When the execution file of the bot 610 is executed, the bot 610 performs various attacks to the outside. On the other hand, when the execution file 610a in which the file name of the execution file of the bot 610 is changed to the same name as the execution file of the bot 600 is executed, the following behavior is observed. That is, the bot 610a shows the same behavior as the bot 600, and stores the execution file of the bot 620 in the hidden folder. As described above, since an arbitrary file name is selected from the list and given to the execution file of the bot 620, the file names of the execution files of the bots 610 and 620 are usually different. As described above, even if the execution files are the same, the bot exhibits different behaviors depending on the file name of the execution file.

  On the other hand, the legitimate application shows the same behavior regardless of the file name of the executable file. FIG. 7 shows the behavior of a legitimate application. As shown in FIG. 7, when the execution file of the installer 700 is executed, the installer 700 expands the compressed file and stores the expanded execution file 710 in a folder (system folder or the like) of the expansion destination. At this time, a file name different from the file name of the execution file 700 is given to the execution file 710.

  When the execution file 710 is executed, processing related to the function as an application (reading and editing of a file specified by the user) is executed. On the other hand, when the execution file 710a in which the file name of the execution file 710 is changed to the same name as the file name of the execution file 700 is executed, the following behavior is observed. That is, the execution file 710a exhibits the same behavior as before the file name is changed, and executes processing related to the function as an application. As described above, the legitimate application exhibits the same behavior regardless of the file name of the executable file. Therefore, it is possible to distinguish between a bot and a legitimate application or its installer by using the difference in behavior described above.

  There are also the following differences between bot behavior and legitimate application behavior. Usually, bots tamper with the hosts file when expanding executables for hidden purposes. The hosts file is a file that records the correspondence between IP addresses and host names. FIG. 10 shows the contents of the hosts file altered by the bot.

  The IP address “127.0.0.1” is an IP address called a loopback address assigned to the host itself. The character string written on the right side of the loopback address is the host name. The second and subsequent lines of the hosts file shown in FIG. 10 are portions that have been tampered with by the bot. Since the IP address of the site that updates a commercially available antivirus (AV) pattern file (definition file) points to itself, the host having this hosts file cannot update the definition file. As mentioned above, the bot prevents the acquisition of new anti-virus pattern files by falsifying the hosts file.

  Usually, even if the executable file is the same, the bot behaves differently depending on the environment when the executable file is executed. Specifically, this environment is the state (contents) of the above hosts file. As shown in FIG. 8, when the execution file of the bot 800 is executed, the bot 800 stores the execution file of the bot 810 in the hidden folder. Assume that the hosts file has been tampered with.

  If the execution file of the bot 810 is executed with the hosts file still falsified, the bot 810 performs various attacks to the outside. On the other hand, when the hosts file is returned to the state before falsification and the execution file is executed, the following behavior is observed. That is, when the execution file of the bot 810 is executed with the hosts file returned to the state before the falsification, the bot 810 shows the same behavior as the bot 800 and stores the execution file of the bot 820 in the hidden folder. In addition, falsify the hosts file. As described above, even if the execution file is the same, the bot exhibits different behavior depending on the environment when the execution file is executed.

  On the other hand, legitimate applications exhibit the same behavior regardless of the status of the hosts file. FIG. 9 shows the behavior of a regular application. As shown in FIG. 9, when the execution file of the installer 900 is executed, the installer 900 expands the compressed file and stores the expanded execution file 910 in the expansion destination folder (system folder or the like). At this time, it is assumed that the hosts file has been changed.

  When the execution file 910 is executed in a state where the hosts file remains changed, processing relating to the function as an application is executed. On the other hand, when the hosts file is returned to the state before falsification and the execution file is executed, the following behavior is observed. That is, when the execution file 910 is executed with the hosts file returned to the state before the change, the execution file 910 shows the same behavior as the execution file 900 and executes processing related to the function as an application. As described above, legitimate applications exhibit the same behavior regardless of the state of the hosts file. Therefore, it is possible to distinguish between a bot and a legitimate application or its installer using the difference in behavior described above.

  FIG. 1 shows the hardware configuration of the processing apparatus according to the present embodiment. The processing apparatus shown in FIG. 1 includes a CPU 1, an operation unit 2, a display unit 3, a RAM 4 (memory), and an HDD 5 (hard disk drive), which are connected by a bus B. The CPU 1 implements various functions by reading various programs stored in the HDD 5 into the RAM 4 and executing processes according to the programs. The operation unit 2 is a mouse or a keyboard that is operated by a user. The display unit 3 is a liquid crystal display or the like that displays a result of processing executed by the processing device.

  The RAM 4 temporarily stores programs executed by the CPU 1 and data necessary for calculation. The HDD 5 stores an application program that defines processing executed by various applications, a file created by the application, a system file necessary for operating an OS (operating system), and the like.

  FIG. 2 shows a functional configuration of the processing apparatus according to the present embodiment. FIG. 2 shows only the functional configuration necessary for the description of the present embodiment. The execution unit 10, the file name change unit 11, the change detection unit 12, the execution result acquisition unit 13, and the determination unit 14 correspond to each process when the CPU 1 executes a process related to each function. The HDD 5 has a system folder in which system files are stored and folders other than the system folder. Various files are stored in each folder. Each folder may be stored in a single HDD, or each folder may be distributed and stored in a plurality of HDDs.

  The processes executed by the execution unit 10, the file name change unit 11, the change detection unit 12, the execution result acquisition unit 13, and the determination unit 14 illustrated in FIG. 2 are as follows. The execution unit 10 executes the execution file. The file name changing unit 11 changes the file name of the execution file. The change detection unit 12 detects a change in the hosts file stored in the folder in the HDD 5. When the execution file is executed, the execution result acquisition unit 13 monitors processing related to the execution and acquires the execution result. The determination unit 14 compares execution results when the execution files are executed under different conditions, and determines whether the execution file is a bot or a regular application (or its installer) based on the comparison results.

  Next, the operation of the processing apparatus according to the present embodiment will be described. First, a first operation example will be described with reference to FIG. In the first operation example, paying attention to the file name, it is determined whether the execution file is a bot or a legitimate application (or its installer).

  Specifically, it is as follows. An executable software execution file 300 acquired from a network, a CD-ROM, or the like is placed in an arbitrary folder. When the execution unit 10 executes the execution file 300, the execution file 310 to which a file name different from that of the execution file 300 is assigned is expanded in the expansion destination folder. Subsequently, the execution unit 10 executes the execution file 310. At this time, the execution result acquisition unit 13 monitors the execution of the execution file 310, acquires the execution result (hereinafter referred to as execution result C), and stores it in the RAM 4.

  Subsequently, the file name changing unit 11 changes the file name of the execution file 310 to the same file name as the file name of the execution file 300. Subsequently, the execution unit 10 executes the execution file 310a whose file name has been changed. At this time, the execution result acquisition unit 13 monitors the execution of the execution file 310a, acquires an execution result (hereinafter, referred to as an execution result C '), and stores it in the RAM 4.

  Subsequently, the determination unit 14 reads the execution result C and the execution result C ′ from the RAM 4 and compares the two. When the execution result C matches the execution result C ′, the determination unit 14 determines that the execution file 310 is a legitimate application or the execution file 300 is a legitimate application installer. If the execution result C and the execution result C ′ do not match, the determination unit 14 determines that the execution file 310 or the execution file 300 is a bot.

  In this embodiment, as an example, attention is paid to two types of execution results, that is, a result of access to a file (file access) and a communication result. When paying attention to the result of file access, it is as follows. When the legitimate application is executed, the legitimate application reads a predetermined file stored in a predetermined folder in the HDD 5 regardless of the file name of the execution file. For example, in the case of word processing software, the file to be edited is read out. Therefore, in the case of a legitimate application, the execution result C and the execution result C ′ match. When the user designates a file to be edited, it is assumed that the same file is designated when the execution file 310 is executed and when the execution file 310a is executed.

  On the other hand, a bot behaves differently depending on the file name of its own executable file. In the case of a bot, for example, there are the following two types of file access patterns.

  In the first file access pattern, the executable file expanded in the hidden folder stores the command file received from the command server in the HDD 5 and stores the files necessary for the attack (for example, the text described in the spam mail) Read file) from the HDD 5. On the other hand, the execution file whose file name has been changed is determined that the installation has not been completed, and its own execution file stored in the HDD 5 is copied and stored in the hidden folder.

  In the second file access pattern, the executable file developed in the hidden folder reads a file necessary for the attack from the HDD 5. On the other hand, the executable file whose file name has been changed is determined that the installation has not been completed, and its own executable file stored in the HDD 5 is copied, stored in the hidden folder, and received from the command server. The command file is saved in the HDD 5. Therefore, in the case of a bot, the execution result C and the execution result C ′ do not match in either the first file access pattern or the second file access pattern.

  The determination unit 14 determines whether the file accessed by the execution file and the type of access (reading, writing, erasing) match between the execution result C and the execution result C ′. This makes it possible to distinguish between bots and legitimate applications or their installers. In order to make the above determination, it is necessary to monitor the file access performed by the process generated when the executable file is executed. As a tool for this monitoring, for example, File Mon (http://technet.microsoft .com / en-us / sysinternals / bb896642.aspx) can be used.

  When attention is paid to the communication result, it is as follows. When the executable file is executed, the browser, which is a legitimate application that communicates, communicates with the server that provides the home page to open the preset home page first, regardless of the executable file name. . Therefore, in the case of a legitimate application, the execution result C and the execution result C ′ match.

  On the other hand, a bot behaves differently depending on the file name of its own executable file. In the case of a bot, for example, there are the following two types of communication patterns.

  In the first communication pattern, the execution file expanded in the hidden folder performs communication for attack (reception of a command file from the command server and transmission of an attack packet to an external terminal). On the other hand, the executable file whose file name has been changed does not communicate when copying its own executable file.

  In the second communication pattern, the executable file expanded in the hidden folder performs communication for attack (transmitting attack packets to an external terminal) to the outside. On the other hand, the executable file whose file name has been changed copies its own executable file stored in the HDD 5, stores it in the hidden folder, and receives the command file from the command server. The command server and the external terminal to be attacked are different terminals. Therefore, in the case of a bot, the execution result C and the execution result C ′ do not match in either the first communication pattern or the second communication pattern.

  The determination unit 14 determines whether or not the combination of the FQDN (Fully Qualified Domain Name) and the port number of the communication destination performed by the execution file matches between the execution result C and the execution result C ′. This makes it possible to distinguish between bots and legitimate applications or their installers. In order to perform the above determination, it is necessary to monitor the communication performed by the process generated when the executable file is executed. As a method for performing this monitoring, for example, literature (Keisuke Takemori, Yu Miyake, “No operation” It is possible to use the method described in “Detection of virus infection focusing on packets transmitted from the host”, Jisho Kenho, CSEC36, pp.141-146, March 2007).

  Note that even if the execution file does not communicate, determination by the same method as described above is possible. Therefore, if the execution file does not communicate, some FQDN and port number are obtained as the execution result. It is desirable. For example, a predetermined character string and number that are not normally used may be used as the FQDN and port number of the execution result, respectively, and used for determination. In addition, the determination may be performed by a method other than the above method. For example, when two execution results to be compared are obtained as an execution result of communication and an execution result of no communication, two execution results are obtained. May be determined not to match.

  Next, a second operation example will be described with reference to FIG. In the second operation example, paying attention to the hosts file, it is determined whether the execution file is a bot or a legitimate application (or its installer).

  Specifically, it is as follows. An execution file 400 of development software acquired from a network, a CD-ROM, or the like is placed in an arbitrary folder. When the execution unit 10 executes the execution file 400, the execution file 410 is expanded in the expansion destination folder. At this time, the change detection unit 12 monitors the state of the hosts file stored in the HDD 5 and determines whether or not the contents of the hosts file have been changed. Note that the hosts file in the initial state is backed up to the HDD 5. When the change detection unit 12 detects a change in the hosts file, the execution unit 10 executes the execution file 410. At this time, the execution result acquisition unit 13 monitors the execution of the execution file 410, acquires the execution result (hereinafter referred to as execution result C), and stores it in the RAM 4.

  Subsequently, the change detection unit 12 returns the contents of the hosts file to the state before the execution of the execution file 410 using the backup of the hosts file stored in the HDD 5. Subsequently, the execution unit 10 executes the execution file 410. At this time, the execution result acquisition unit 13 monitors execution of the execution file 410, acquires an execution result (hereinafter referred to as an execution result C ′), and stores it in the RAM 4.

  Subsequently, the determination unit 14 reads the execution result C and the execution result C ′ from the RAM 4 and compares the two. When the execution result C matches the execution result C ′, the determination unit 14 determines that the execution file 410 is a legitimate application or the execution file 400 is a legitimate application installer. If the execution result C and the execution result C ′ do not match, the determination unit 14 determines that the execution file 410 or the execution file 400 is a bot. The determination method by the determination unit 14 is the same as in the first operation example.

  As described above, according to the present embodiment, it is possible to distinguish between a bot and a legitimate application or its installer by comparing the execution result according to the name of the execution file or the execution result according to the contents of the hosts file. It becomes possible. Accordingly, it is possible to reduce false detection of detecting the behavior of a legitimate application as an abnormal behavior.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operation and function of the processing apparatus may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  DESCRIPTION OF SYMBOLS 1 ... CPU, 2 ... Operation part, 3 ... Display part, 4 ... RAM, 5 ... HDD (memory | storage means), 10 ... execution part (execution means), ... File name change unit, 12 ... change detection unit, 13 ... execution result acquisition unit, 14 ... determination unit (comparison unit, determination unit)

Claims (8)

First execution means for executing a first execution file for generating another execution file;
Second execution means for executing the second executable file generated when the first executable file is executed in a state in which an attribute different from the attribute of the first executable file is given;
Third execution means for executing the second executable file in a state in which the same attribute as the attribute of the first executable file is given;
A comparison unit that compares an execution result when the second execution unit executes the second execution file and an execution result when the third execution unit executes the second execution file;
A processing apparatus comprising: First execution means for executing a first execution file for generating another execution file;
Second execution means for executing the second executable file generated when the first executable file is executed in an environment different from the environment before the first executable file is executed;
Third execution means for executing the second executable file in the same environment as the environment before the first executable file is executed;
A comparison unit that compares an execution result when the second execution unit executes the second execution file and an execution result when the third execution unit executes the second execution file;
A processing apparatus comprising: When the second executable file is generated, the second executable file is given a file name different from that of the first executable file,
The second execution means executes the second executable file in a state in which the same file name as that given to the second executable file is assigned when the second executable file is generated. Run,
The processing apparatus according to claim 1, wherein the third execution unit executes the second execution file in a state where the same file name as the first execution file is given. It further comprises storage means for storing a hosts file that records the correspondence between IP addresses and host names
The second execution unit executes the second execution file in a state where the hosts file changed when the second execution file is generated is stored in the storage unit,
The third execution means executes the second execution file in a state where the hosts file having the same content as that before the execution of the first execution file is stored in the storage means. The processing apparatus according to claim 2, wherein the processing apparatus is characterized.   When the two execution results match as a result of the comparison by the comparison means, it is determined that the first executable file is a regular installer, or the second executable file is determined to be a regular application. The processing apparatus according to claim 1, further comprising a determination unit.   The comparison unit further includes a determination unit that determines that the first execution file or the second execution file is a bot when the two execution results do not match as a result of the comparison by the comparison unit. The processing apparatus in any one of Claims 1-4. First execution means for executing a first execution file for generating another execution file;
Second execution means for executing the second executable file generated when the first executable file is executed in a state in which an attribute different from the attribute of the first executable file is given;
Third execution means for executing the second executable file in a state in which the same attribute as the attribute of the first executable file is given;
Comparison means for comparing the execution result when the second execution means executes the second execution file and the execution result when the third execution means executes the second execution file;
As a program to make the computer function. First execution means for executing a first execution file for generating another execution file;
Second execution means for executing the second executable file generated when the first executable file is executed in an environment different from the environment before the first executable file is executed;
Third execution means for executing the second executable file in the same environment as the environment before the first executable file is executed;
A comparison unit that compares an execution result when the second execution unit executes the second execution file and an execution result when the third execution unit executes the second execution file;
As a program to make the computer function.

Images