计算机工程与应用 ›› 2006, Vol. 42 ›› Issue (22): 8-.

• 博士论坛 • 上一篇    下一篇

基于特征提取的二进制代码比较技术

曾鸣,赵荣彩,姚京松,王小芹   

  1. 解放军信息工程大学信息工程学院
  • 收稿日期:2006-03-28 修回日期:1900-01-01 出版日期:2006-08-01 发布日期:2006-08-01
  • 通讯作者: 曾鸣 dianaming dianaming

Character-based Comparison of Executable Objects

,,,   

  1. 解放军信息工程大学信息工程学院
  • Received:2006-03-28 Revised:1900-01-01 Online:2006-08-01 Published:2006-08-01

摘要: 二进制代码比较技术在病毒变种分析,安全补丁分析,版本信息导出等许多领域都有着广泛的应用。在定义了基于图的二进制代码描述方法的基础上,从函数和基本块两个层次对近似的二进制代码进行比较,分析出它们之间相同的部分和差异信息。讨论了基于图的二进制文件特征的选取,利用特征比较和固定点传播算法,建立两份代码在函数和基本块两个级别的对应关系。本文给出了这种基于特征提取的二进制代码比较技术的实现框架,并列举了它在恶意软件变种分析,公开漏洞定位方面的利用实例。

关键词: 二进制代码比?, 函数控制流图, 恶意软件分析

Abstract: Executable objects comparison technology compares two different but similar executable objects to show their difference and similarity.It can be used for analysing malware variants ,porting recovered information between different disassemblies,locating changes in security updates. A method based on character comparison is presented in this article.Executable object is described by two kinds of graph:call graph of an executable and control flow graphs of functions. Characters of functions and basic blocks are defined and acquired from the graphs.Fixedpoint of nodes are located and propagated in the graphs.Results are mappings between the functions and basic blocks in the two executable objects.A frame work implementing the described methos is presented alone with two actual apllications in analysing malware variants and security updates analysing.

Key words: Executable Comparison, Control Flow Graph, Malware analysis