JP6297425B2 - Attack code detection apparatus, attack code detection method, and program - Google Patents

Description

  The present invention relates to a technology for detecting a malicious program aimed at a vulnerability of a computer.

  Attacks by malicious programs aimed at computer vulnerabilities are an important issue. Usually, when a vulnerability of a computer system is revealed by such an attack, a vulnerability patch for eliminating the vulnerability is released and distributed to users. However, before the vulnerability patch is released, attack methods and tools become public, and there is no end to zero-day attacks where attacks are conducted.

  The feature of the above attack is that a code reuse attack technique represented by ROP (Return Oriented Programming) is often used in order to avoid computer-side defense techniques such as DEP (Data Execution Prevention). It is. In order to accurately grasp code reuse, it is necessary to grasp the memory state on the computer side. For example, Patent Literature 1 discloses a technique for grasping a memory state on the host computer side to avoid an attack.

  Moreover, in recent targeted attacks, a malicious document file in which an attack code is embedded is sent, and the victim opens the file, thereby causing malware infection and the like, and often exploiting information. There is a case where such a malicious document file includes an ROP attack code for the latest file. For example, Patent Document 2 describes a technique for dynamically detecting a malicious shell code or the like from a document file.

JP 2011-258019 A JP 2013-239149 A Mamoru Mimura, Hidehiko Tanaka: Handy Scissors: Automatic extraction tool for executable files embedded in malicious document files, Journal of Information Processing Society of Japan, Vol.54, No.3, pp.1211-1219 (Mar. 2013). Yuhei Otsubo, Mamoru Mimura, Hidehiko Tanaka: Detection of malicious MS document file detection method by file structure inspection, IPSJ SIG, Vol.2013-IOT-22, No.16 (2013). Boldewin, F .: Analyzing MSOffice malware with OfficeMalScanner (2009), http://www.reconstructer.org/code.html

  However, for example, a technique for detecting an attack code (malicious shell code or the like) by dynamic analysis as described in Patent Document 2 is dangerous because the test environment may be damaged by the attack code. There is a problem that analysis takes time and effort, for example, it is necessary to prepare a specific environment that appropriately matches the version and patch level of the OS and application in order to operate the exploit code.

  The present invention has been made in view of the above points, and an object thereof is to provide a technique for detecting an attack code in input data such as a document file by static analysis.

According to an embodiment of the present invention, an attack code detection device for detecting an attack code from input data,
Obtaining means for extracting a plurality of partial data strings having a predetermined data length from the input data;
For the plurality of partial data strings, evaluation means for evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range;
There is provided an attack code detection device comprising: output means for outputting the detection result of the attack code in the input data based on the evaluation result by the evaluation means.

Further, according to the embodiment of the present invention, there is an attack code detection method executed by an attack code detection device that detects an attack code from input data,
The attack code detecting device obtains a plurality of partial data strings having a predetermined data length from the input data; and
The attack code detection device, for the plurality of partial data strings, an evaluation step for evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range;
An attack code detection method is provided, wherein the attack code detection device includes an output step of outputting a detection result of the attack code in the input data based on an evaluation result in the evaluation step.

  A technique for detecting an attack code in input data such as a document file by static analysis can be provided.

It is a figure for demonstrating operation | movement of a malicious document file. It is a figure which shows the example of the content of the malignant document file containing a ROP code. It is a functional block diagram of the malicious document file detection apparatus 100 which concerns on embodiment of this invention. It is a figure for demonstrating the ROP code in a malicious document file. It is a figure which shows the example of a ROP code. It is a figure which shows the example of a memory area. 5 is a flowchart illustrating an operation example in an attack code determination unit 103. It is a figure which shows the example of the comparison between double words. 6 is a diagram illustrating pseudo code example 1. FIG. FIG. 10 is a diagram illustrating a pseudo code example 2;

  Embodiments of the present invention will be described below with reference to the drawings. The embodiment described below is only an example, and the embodiment to which the present invention is applied is not limited to the following embodiment. For example, in the present embodiment, the detection of the ROP code is described as an example, but the application destination of the present invention is not limited to this, and the present invention can also be applied to other attack codes having the same characteristics as the ROP code. .

(About attack codes and defense mechanisms)
In the embodiment of the present invention, a technique for statically specifying an ROP code from a document file is provided. In order to facilitate understanding of the technique, first, an existing attack code, a defense mechanism, and a technique for avoiding the attack code are provided. Etc. will be described.

  FIG. 1A is a diagram showing an execution operation of each code when a user opens a normal malicious document file on a computer. As shown in FIG. 1A, when a user opens a malicious document file, an exploit code that attacks the vulnerability of the browsing software is activated first. The exploit code plays a role until the control right of the browsing software can be controlled. When control is taken, the shellcode is executed. The shell code extracts and executes an executable file (malware) embedded in the document file. When the malware is executed, for example, exploitation of user information is performed.

  There is DEP (Data Execution Prevention) as a technique for preventing execution of the malicious shell code as described above. The shell code that is controlled and placed by the exploit code is placed not in the program area on the memory but in a data area called a stack or heap. DEP is a function that prevents the execution of code arranged in such a data area. DEP works by marking that a particular portion of memory is only intended for data retention and by the processor recognizing that area is not executable.

  ROP is one of the methods for avoiding DEP. ROP connects the code fragments (called ROPgadget) that end with a return (ret instruction) to realize the processing that is to be executed. The address of the code that is to be executed is accumulated on the stack, and the processing is performed accordingly. By adjusting to jump, it is possible to execute various codes intended by the attacker. In this case, since code execution is performed in a normal code area, protection by DEP does not work.

  However, since it is difficult to perform complicated processing using only ROP, using ROP, an instruction to change the execution right of the data area, that is, an instruction to release DEP (eg, VirtualProtect function) is executed. Thus, control is performed to make the shell code arranged in the data area executable and execute the shell code.

  As a technique for avoiding ROP, there is ASLR (Address Space Layout Randomization). ASLR randomizes the address space when the OS is started, and this can counter an attacker using an API function or a fixed known address of the stack heap.

  However, for example, when the OS is a 32-bit OS, the attacker can avoid ASLR within the actual time and the actual number of trials by scanning a randomized address space to find a necessary address. Some DLLs (Dynamic Link Libraries) are not randomized, and a technique exploiting this is used. Even when randomization is performed by ASLR, there is a method of dynamically assembling an ROP code by obtaining a base address of a specific DLL using vulnerability.

  FIG. 1B is a diagram for explaining an operation example of a malicious document file including an ROP code that avoids a defense mechanism such as DEP.

  FIG. 1B differs from FIG. 1A in that ROP code execution and decryption code execution are included. In the case of FIG. 1B, an encrypted shell code is used, and the shell code is executed after being decrypted by the decryption code. Further, in order to execute the decryption code, an execution authority is required in the memory area where the decryption code is arranged, and therefore the ROP code for avoiding DEP is executed. In addition to the ROP code (or in place of the ROP code), a structured exception handling (SEH) code is often executed in order to succeed in a stable attack.

(About detection target code in the present embodiment)
FIG. 2 shows an example of the contents of a malicious document file including a malicious code such as an ROP code. The ROP (including SEH) code part in the malicious document file shown in FIG. 2 is arranged outside the subsequent decryption code part for the purpose of avoiding DEP and stable operation as described above, and gives the right to execute the decryption code. . Since the ROP code is arranged outside the decryption code portion, it is not encrypted. However, since the ROP code is about 100 bytes and the SEH code is about 10 bytes, and the SEH code is short, it is considered difficult to capture the characteristics. In this embodiment, the characteristics of the ROP code are captured by static analysis. Thus, the presence or absence of the ROP code in the document file is determined, and it is determined whether or not the document file is a malicious document file. Thus, since the ROP code cannot be included in the decrypted code and appears in plain text, it can be detected at high speed by static analysis.

  In order to identify a document file as a malicious document file, any malicious code in the document file need only be detected. From the viewpoint described below, in the present embodiment, various types of files included in the malicious document file are detected. Among malicious codes, ROP codes are targeted for detection.

  Since the exploit code part is a code for invoking a vulnerability, it is easy to identify because the feature appears easily and intentional encryption is difficult, but it cannot be identified in the case of an unknown vulnerability such as zero day. In addition, the decryption code part is composed of about several tens of bytes for the purpose of decrypting the encrypted shell code, and is often simple using a logical operation such as XOR, and is difficult to distinguish from a normal code. In the case of an encoder that generates a polymorphic code, there is a possibility that the size increases and a feature can be captured.

  The shellcode part has some common features. Among them, many codes can be determined because they refer to PEB (Process Environment Block) for self-resolution of API function addresses. However, encryption and obfuscation are easily performed, and in particular, when multi-encoding, which is a method of performing encryption multiple times, is difficult to detect, it is not targeted.

  On the other hand, as described above, since the ROP code cannot be included in the decrypted code and appears in plain text, it can be detected at high speed by static analysis. In addition, the ROP code for an unknown DLL that does not depend on a known character string such as an argument of a specific function can be detected by the method of the present embodiment.

(Device configuration)
FIG. 3 is a functional configuration diagram of the malicious document file detection apparatus 100 according to the embodiment of the present invention. The malicious document file detection apparatus 100 may be installed offline, and may detect a malicious document file by manually inputting a document file (input data) to be inspected. Alternatively, the malicious document file detection apparatus 100 may be installed on the network and on the network. It is good also as detecting a malignant document file by acquiring a document file. The malicious document file detection device 100 may be referred to as an attack code detection device. Further, the “document file” in the present embodiment is not limited to a specific type, and may be any type. Further, the attack code detection target is not limited to the document file, and the attack code can be detected from arbitrary input data by the technique according to the present invention.

  As illustrated in FIG. 3, the malicious document file detection apparatus 100 includes a document file input unit 101, a document file storage unit 102, an attack code determination unit 103, and a determination result output unit 104.

  The document file input unit 101 inputs a document file to be inspected as to whether or not it is a malicious document file. The input document file is stored in the document file storage unit 102. The attack code determination unit 103 determines whether the attack code is included in the document file by statically analyzing the target document file. In the present embodiment, the attack code that is subject to presence / absence determination is an ROP code. The processing content of the attack code determination unit 103 will be described later.

  The determination result output unit 104 outputs the determination result of the attack code presence / absence by the attack code determination unit 103. If the determination result that there is an attack code is obtained, it can be determined that the target document file is a malicious document file.

  The malicious document file detection apparatus 100 according to the present embodiment can be realized, for example, by causing one or a plurality of computers to execute a program describing the processing contents described in the present embodiment. That is, the function of the malicious document file detection apparatus 100 is to execute a program corresponding to processing executed by the malicious document file detection apparatus 100 using hardware resources such as a CPU, memory, and hard disk built in the computer. This can be realized by doing so. Further, the program can be recorded on a computer-readable recording medium (portable memory or the like), stored, or distributed. It is also possible to provide the program through a network such as the Internet or electronic mail.

(About the internal structure of the ROP code)
Since the processing content in the attack code determination unit 103 in the present embodiment is closely related to the internal configuration of the ROP code, the internal configuration of the ROP code will be described here.

  As described above, the ROP code can execute any code by avoiding DEP by connecting and using the code portion of the memory area to which execution is authorized.

  As a result of the investigation by the inventor, when ROP code is used as attack code, only shell code having a high degree of freedom is written using ROP, but only execution authority is given to the subsequent code area. I know it ’s not there. Examples of functions that can be given execution authority include VirtualProtect, VirtualAlloc, HeapCreate, SetProcessDEPPolicy, WriteProcessMemory, NtSetInformationProcess, and the like.

  The ROP code includes an ROPgadget code related to an API function (eg, VirtualProtect function) that controls DEP, an ROPgadget code (referred to as a normal ROPgadget code) used to prepare appropriate arguments for these functions, a function, and the like. Arguments are included. The attacker appropriately stacks these two types of ROPgadget code and arguments on the stack, executes the ROP code, grants execution authority to the memory area of the shell code placement area, and avoids DEP. When DEP is avoided, the next process such as execution of a decoded code is started.

  An attacker tries to use a ROPgadget code that exists as a fixed value in the memory space in order to succeed in a stable attack. This is difficult when the ASLR is functioning, but there is a workaround described above. As a result of an investigation by the inventors, there are many attack methods using the physical address of a module that does not support ASLR, and conversely, since the number of modules that do not support ASLR is limited, the number of ROPgadget codes that are used is limited, A detection method using the feature relating to the physical address is effective.

  For example, the ROP code in the malicious document file is configured as shown in FIG. 4 in order to create a stack state as described above. Each square in FIG. 4 represents one byte. In the 32-bit environment, each of the ROPgadget code related to the API function that controls the DEP indicated by B and the normal ROPgadget code indicated by A are 4-byte physical memory addresses.

  It is conceivable that the ROP code is detected by detecting a known address used by the attacker by using such a characteristic of the ROP code. However, there are attack methods that use unknown ASLR non-compliant physical addresses, or there are attack methods that use specific DLL base addresses dynamically in attack codes even with ASLR compatible DLLs. The detection of the ROP code by the method of detecting a known address becomes difficult.

  Therefore, in the present embodiment, a technique for detecting the ROP code by a method independent of a physical address such as a specific DLL is used.

  An example of an ROP code created from a DLL that does not support ASLR is shown in FIG. In FIG. 5, the addresses are arranged in little endian. Since the base address of the DLL is non-ASLR, it is always fixed and loaded to 0x7C340000 to 0x7C396000. From this, the generated ROPgadget has an upper byte of 0x7C3 and appears in a 4-byte cycle as shown by shading in FIG.

  FIG. 6 is a diagram showing a memory space in the 32-bit OS. FIG. 6 shows an area where the above-described DLL is loaded. The DLL given as an example in FIG. 5 is loaded in the hatched portion in FIG. 6 and abused as ROPgadget. In addition, since many DLLs that are abused are loaded not in the kernel area but in the user area, the physical address in the ROP code using the DLL is considered to be 0x7FFFFFFF at the maximum. That is, it is considered that the kernel area addresses from 0x80000000 to 0xFFFFFFFF shown in gray in FIG. 6 are not used.

  In addition, in the part shown in white in FIG. 5, the value from the 40th byte to the 47th byte is 0x40000000, which is an argument necessary for granting the execution right in the VirtualProtect function. In addition, in FIG. 5, the white part character string excluding the halftone is one of the characteristics that is not scattered, such as 0x00 and 0xFF which are often found in general document files.

  As in the above example, an attacker using a ROP code finds a non-ASLR DLL and uses its fixed address. Therefore, the ROP code has a feature that physical addresses concentrated in a specific address space are continuous. is there. Or, even in the case of an ASLR compatible DLL, it is possible to use a fixed address by knowing the base address of the DLL using the vulnerability, so even in the case of an ASLR compatible DLL, It is considered that there is a feature that physical addresses concentrated in a specific address space are continuous.

(Operation example of attack code detection unit 103)
The attack code detection unit 103 performs processing for determining the presence or absence of the ROP code by detecting the above-described features from the document file.

  An outline of the processing of the attack code detection unit 103 will be described with reference to the flowchart of FIG. The processing shown in FIG. 7 is performed in order from the first byte data of the document file to be inspected as a malignant document file to the last byte data one byte at a time. The process may be terminated when all 25 double words cannot be acquired. Further, the processing may be terminated when a determination result indicating that the ROP code is detected is obtained.

  As a premise of the processing of FIG. 7, it is assumed that a document file to be inspected as a malignant document file is input from the document file input unit 101 and the document file is stored in the document file storage unit 102. The attack code detection unit 103 reads document file data from the document file storage unit 102, and executes processing described below.

  In step 101, the attack code determination unit 103 acquires a double word, which is data of 4 bytes, from the current byte position (the first byte in the document file at the processing start time). In this example, it is assumed that character strings are arranged in little endian in a document file, and a double word is taken into consideration. The same applies to the following 25 double words.

  In step 102, the attack code determination unit 103 determines whether or not the acquired double word value is larger than a predetermined address. If larger, the process proceeds to step 103. If not larger, the process proceeds to step 104. In step 103, the attack code determination unit 103 advances the target byte in the document file by one byte and performs the processing from step 101 again.

  In the present embodiment, the predetermined address is the above-described maximum address 0x7FFFFFFF of the user area. In this example, it is assumed that the ROP code uses a program loaded in the user area as the ROPgadget, and an address larger than the maximum address of the user area is not included in the ROP code.

  In step 104, the attack code determination unit 103 acquires 25 double words consecutive from the current byte position from the document file, compares the 25 double words, and scores based on the presence or absence of a predetermined value in the 25 double words. Is calculated.

  An example of comparison processing between 25 double words will be described with reference to FIG. In the example of FIG. 8, the first double word is compared with each of the other 24 double words. In this example, the comparison processing determines whether or not the absolute value of the numerical difference between the double words to be compared is smaller than a predetermined threshold (or may be “below”), and adds a score if it is smaller. This process is an example of evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range. Note that the processing example in FIG. 8 is merely an example. For example, each double word may be compared with each other double word (25:25). Further, in order to evaluate the degree of concentration of the partial data string (double word) in a predetermined range, variance, entropy, etc. regarding the partial data string may be calculated and compared with a predetermined threshold value.

  As described above, since the ROP code has a feature that physical addresses concentrated in a specific address space appear, this feature is to be found in the process of step 104.

  The predetermined value in the presence / absence of a predetermined value in 25 double words is, for example, an argument necessary for changing the memory authority (eg, granting execution right) in the function for changing the memory authority (eg, VirtualProtect function) described above. Example: 0x40000000). If the predetermined value is present in 25 double words, the possibility that an ROP code exists in the document file is high, so a large score is added. Alternatively, the presence of the predetermined value may be a condition for determining that the ROP code exists. The predetermined value presence / absence check is not essential, and it is also possible to determine the presence / absence of the ROP code only by evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range.

  In step 105, the attack code determination unit 103 determines whether or not a predetermined detection condition is satisfied based on the 25 double word inspection result. If satisfied, the process proceeds to step 106. If not satisfied, the process proceeds to step 103. The predetermined detection condition is, for example, that the score is larger than a predetermined threshold, that the score is larger than the predetermined threshold, and that the predetermined value exists.

  In step 106, the attack code determination unit 103 notifies the determination result output unit 104 of a determination result indicating that the ROP code has been detected, and the determination result output unit 104 determines that the ROP code has been detected. Is output.

  FIG. 9 shows pseudo code example 1 corresponding to the processing executed by the attack code determination unit 103. Pseudo code example 1 shows basically the same processing as the processing shown in FIG. 7, but shows a more detailed processing example.

  In the process according to the pseudo code example 1, the attack code determination unit 103 checks the target document file as binary data for each byte from the top (lines 01 and 19). The attack code determination unit 103 reads the first double word (4 bytes) (02 lines), and satisfies the requirements existing in the user area (02 lines). 25 double words (100 bytes) consisting of 24 double words are inspected (lines 07 to 15).

  In this inspection process, the difference between double words is taken as shown in FIG. 8, and the score is raised when the difference falls below the threshold (line 08, line 09). In the example of FIG. 9, if there are arguments necessary for granting the execution right using the VirtualProtect function in 25 double words, the ROP flag is set (lines 12 and 13). In the example of FIG. 9, if the ROP flag stands and the score exceeds the threshold, it is determined that the ROP code has been found (lines 16 and 17).

  The threshold value (0x10000000) at line 08 in the example of FIG. 9 is obtained from the result of investigation of a typical DLL used for ROP by the inventor, but this is an example, and other threshold values are set. May be used.

  Further, it has been confirmed that there are some patterns other than 0x40000000 for the argument for determining whether to set the ROP flag, but there are not many.

  In the pseudo code example 1 shown in FIG. 9, an argument such as 0x40000000 is used as a determining factor for ROP code determination. However, this may not be used as a determining factor but may be a material for increasing the score. FIG. 10 shows a pseudo code example 2 which is a pseudo code example in that case.

  As shown in lines 12 and 13 in FIG. 10, when the double word matches the argument, the score is greatly increased. Other processes are the same as those in FIG.

  As in the example of FIG. 10, the ROP code can be detected only by the score. In FIG. 10, it is also possible to detect the ROP code without adding the argument score. As described above, in the method of detecting only by the score, it is possible to detect an ROP code in which an execution authority grant function whose function specification is unknown is used.

  As described above, in the case of a system in which the score is increased when the difference between double words is below a predetermined threshold, a benign document file including a double word having such a relationship is erroneously detected as a malignant document file. There is a possibility. Examples of such erroneous detection include a character string (eg, 0x00, 0x *** 0000) frequently used as a terminal character string in a benign document file and the same character string appearing in a 1-byte cycle. In either case, the configuration of the ROP code cannot be made, so that erroneous detection can be avoided by excluding these from the evaluation.

  Since a meaningless JUNK code (eg FFFFFFFF) is always included in the ROP code, one or more meaningless codes are defined and included in a plurality of partial data strings (double words) to be inspected. The number of meaningless codes to be added may be added to the determination condition. For example, if there are a predetermined number or more of meaningless codes, a process of adding a score can be performed.

  Further, in the present embodiment, a 32-bit environment is assumed, but the technology according to the present embodiment can be similarly applied to a 64-bit environment. In a 64-bit environment, the document file (input data) is divided into 8 bytes and evaluated.

(Summary of the embodiment, effects, etc.)
As described above, according to the present embodiment, an attack code detection device that detects an attack code from input data, the acquisition means for extracting a plurality of partial data strings having a predetermined data length from the input data; , For the plurality of partial data strings, evaluation means for evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range, and the detection result of the attack code in the input data based on the evaluation result by the evaluation means An attack code detecting device is provided.

  The evaluation means may further evaluate whether or not there is a partial data string corresponding to a specific numerical value for the plurality of partial data strings. The specific numerical value is, for example, an argument of a predetermined function that controls the right to execute code in the memory.

  For example, the evaluation unit evaluates whether or not the magnitude of the difference between the partial data strings is smaller than a predetermined threshold as an evaluation of the degree to which the numerical values of the partial data strings are concentrated in a predetermined range. The evaluation unit may exclude the partial data string from the evaluation target when the partial data string acquired by the acquisition unit indicates an address outside the user area in the memory space of the computer. . The attack code is, for example, an ROP code.

  According to the present embodiment, the ROP code can be specified by static analysis of the document file. In this embodiment, the analysis time is short, the analysis time is short, the analysis environment with multiple versions such as OS and document browsing software is unnecessary, the file is safe because it does not operate, etc. There are benefits. Also, by detecting the ROP code, it is possible to detect a malicious document file in which an attack code of an unknown vulnerability type such as zero day is embedded.

  As existing techniques for detecting a malicious code embedded in a malicious document file by static analysis, there are techniques described in Non-Patent Documents 1 to 3. Non-Patent Document 1 proposes Handy Scissors for automatically extracting an execution file (malware main body) embedded in a malicious document file by supporting a plurality of encoding methods or searching for a key by a brute force method.

  Non-Patent Document 2 proposes a technique for detecting a malicious document file by inspecting information on the size and structure of the document file. In Non-Patent Document 3, OfficeMalScanner is disclosed as a tool having a key search function.

  Although all have higher performance for detecting malicious documents as compared with existing anti-virus software, none of the detection methods by static analysis focusing on the characteristics of the ROP code as described in the present embodiment is shown. By using the technique according to the present embodiment, it can be expected to detect a malicious document file including an ROP code that cannot be detected by the techniques described in Non-Patent Documents 1 to 3.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

DESCRIPTION OF SYMBOLS 100 Malignant document file detection apparatus 101 Document file input part 102 Document file storage part 103 Attack code determination part 104 Determination result output part

Claims (8)

An attack code detection device for detecting an attack code from input data,
Obtaining means for extracting a plurality of partial data strings having a predetermined data length from the input data;
For the plurality of partial data strings, evaluation means for evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range;
An attack code detection apparatus comprising: output means for outputting a detection result of the attack code in the input data based on an evaluation result by the evaluation means. The attack code detection apparatus according to claim 1, wherein the evaluation unit further evaluates whether or not there is a partial data string corresponding to a specific numerical value for the plurality of partial data strings. The attack code detection apparatus according to claim 2, wherein the specific numerical value is an argument of a predetermined function that controls an execution right of the code in the memory. The evaluation means evaluates whether or not the difference between the partial data strings is smaller than a predetermined threshold as an evaluation of the degree to which the numerical values of the partial data strings are concentrated in a predetermined range. The attack code detection device according to any one of claims 1 to 3. The evaluation means excludes the partial data string from the evaluation object when the partial data string acquired by the acquisition means indicates an address outside a user area in a memory space of a computer. Item 5. The attack code detection device according to any one of Items 1 to 4.   6. The attack code detection device according to claim 1, wherein the attack code is an ROP code.   The program for functioning a computer as each means in the attack code detection apparatus in any one of Claims 1 thru | or 6. An attack code detection method executed by an attack code detection device that detects an attack code from input data,
The attack code detecting device obtains a plurality of partial data strings having a predetermined data length from the input data; and
The attack code detection device, for the plurality of partial data strings, an evaluation step for evaluating the degree to which the numerical values of the partial data strings are concentrated in a predetermined range;
The attack code detection device comprises: an output step of outputting a detection result of the attack code in the input data based on an evaluation result in the evaluation step.