计算机工程与应用 ›› 2007, Vol. 43 ›› Issue (17): 24-28.

• 博士论坛 • 上一篇    下一篇

二进制代码中函数混淆调用的识别

曾 鸣,赵荣彩   

  1. 中国人民解放军信息工程大学 计算机科学与技术系,郑州 450002
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2007-06-11 发布日期:2007-06-11
  • 通讯作者: 曾 鸣

Identification of obfuscated function calls in binaries

ZENG Ming,ZHAO Rong-cai   

  1. Department of Computer Science,the PLA Information and Engineering University,Zhengzhou 450002,China
  • Received:1900-01-01 Revised:1900-01-01 Online:2007-06-11 Published:2007-06-11
  • Contact: ZENG Ming

摘要: 函数调用相关信息识别是二进制代码静态分析的基础,也是恶意代码分析的重要线索。二进制代码混淆技术通过对函数调用指令call、参数传递过程和调用返回过程的混淆来隐藏代码中函数的信息。这大大增加了程序逆向分析的难度,此技术被广泛应用在变形和多态病毒中,使其逃脱杀毒软件的查杀。论文给出了一种静态分析方法,引入了抽象栈图的概念,给出了其构造算法,利用它能够有效识别出代码中对函数调用的混淆。

Abstract: Identification of information about functions forms the base of static binary analysis and malicious code detection.A heuristic approach to detect metamorphic virus is to examine the calls a binary makes to the operating system.To avoid this,malicious code programmers hide the information about functions using a variety of obfuscations,including substitution of call with another equivalent instruction sequences,changing the normal form of parameters passing and returning process.These obfuscation methods introduce much difficulty for reverse code analysis.To deal with the problem,this article presents a static method which can detect obfuscated function calls in a binary efficiently.