基于PE文件冗余的空间多态技术

计算机科学 ›› 2014, Vol. 41 ›› Issue (Z6): 347-351.

基于PE文件冗余的空间多态技术

顾鼎锋,马恒太

中国科学院软件研究所天基综合信息系统重点实验室北京100190;中国科学院大学北京100049;中国科学院软件研究所天基综合信息系统重点实验室北京100190

出版日期:2018-11-14 发布日期:2018-11-14
基金资助:
本文受科技部863计划(2012AA011206),中国科学院创新基金项目(CXJJ-11-S101)资助

Space Polymorphic Technique Based on Redundance of PE File

GU Ding-feng and MA Heng-tai

Online:2018-11-14 Published:2018-11-14

摘要/Abstract

摘要： 在传播过程中,越来越多的计算机病毒利用加密、多态、变形等技术来改变自身代码形态,提高自我保护能力,以躲避反病毒软件查杀。然而,传统的多态、变形技术存在体积膨胀、实现复杂等严重缺陷。针对这些问题,通过分析PE文件的框架结构,结合PE文件中存在冗余的特点,提出了空间多态的概念,并详细阐述了空间多态技术的工作原理,设计实现了空间多态引擎,最后进一步分析了空间多态技术的鲁棒性。

关键词: PE文件,恶意代码,空间多态,多态引擎中图法分类号TP309.5文献标识码A

Abstract: Many computer viruses use polymorphic and metamorphic techniques to mutate their code on each replication as they propagate,thus protecting themselves from antiviruses．However,there are still some disadvantages existing in traditional polymorphic and metamorphic techniques．These techniques are too difficult to implement．What`s more,it could lead to size expansion,when viruses spreading among computers．In response to these shortcomings,by analyzing the PE file frame structure,according to the characteristics that redundancy existing in the PE file,space polymorphic technique is proposed．Then,the principle of space polymorphic technique is introduced in detail,as well as the design implementation of space polymorphic engine．At last,robustness of space polymorphic technique is analysed for further research.

Key words: PE file,Malware,Space polymorphism,Polymorphic engine

顾鼎锋,马恒太. 基于PE文件冗余的空间多态技术[J]. 计算机科学, 2014, 41(Z6): 347-351. https://doi.org/

GU Ding-feng and MA Heng-tai. Space Polymorphic Technique Based on Redundance of PE File[J]. Computer Science, 2014, 41(Z6): 347-351. https://doi.org/

参考文献

[1] 肖英,邹福泰．计算机病毒及其发展趋势[J]．计算机工程,2011,37(11):149-151
[2] 吴伟民,范炜锋,王志月,等．基于特征码的PE文件自动免杀策略[J]．计算机工程,2012,38(12):118-121
[3] 范吴平．Win32PE文件病毒的检测方法研究[D]．成都:电子科技大学,2011
[4] 吴丹飞,王春刚,郝兴伟．恶意代码的变形技术研究[J]．计算机应用与软件,2012,29(3):74-77
[5] 周梅红,刘宇峰,胡晓雯,等．恶意代码多态变形技术的研究[J]．计算机与数字工程,2008,36(10):149-153
[6] Holloway R．University of London．Metamorphic Virus:Analysis and Detection[R]．Konstantinou E,Wolthusen S:Royal Holloway,University of London,2008
[7] 王清,等．0day安全:软件漏洞分析技术(第2版)[M]．北京:电子工业出版社,2011
[8] 汪洁,王建新,刘绪崇．基于近邻关系特征的多态蠕虫防御方法[J]．通信学报,2011,32(8):150-158
[9] Bashari B,Masrom M．Metamorphic Virus Detection in Portable Executables Using Opcodes Statistical Feature[C]∥Proceeding of the International Conference on Advanced Science,Enginee-ring and Information Technology．2011
[10] Corporation M．Microsoft Portable Executable and Common Object File Format Specification[EB/OL]．Revision 6.0,1999,2
[11] 白金荣,王俊峰,赵宗渠．基于PE静态结构特征的恶意软件检测方法[J]．计算机科学,2013,40(1):122-126
[12] 段钢．加密与解密(第2版)[M]．北京:电子工业出版社,2006
[13] 戚利．Windows PE权威指南[M]．北京:电子工业出版社,2011

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed