Computer Engineering and Applications ›› 2011, Vol. 47 ›› Issue (10): 71-74.

• 网络、通信、安全 • Previous Articles     Next Articles

Virtual machine based self modifying code detection and monitoring

WU Bingzheng1,2,WU Yanjun1,HE Yeping1   

  1. 1.National Engineering Research Center of Fundamental Software,Institute of Software,CAS,Beijing 100190,China
    2.Graduate University of Chinese Academy of Sciences,Beijing 100190,China
  • Received:1900-01-01 Revised:1900-01-01 Online:2011-04-01 Published:2011-04-01

基于虚拟机架构的自修改代码监测技术

武炳正1,2,武延军1,贺也平1   

  1. 1.中国科学院 软件研究所 基础软件国家工程研究中心,北京 100190
    2.中国科学院 研究生院,北京 100190

PDF

Abstract: Self Modifying Code(SMC) is the common form of malware to disable the static analysis of reverse engineering techniques.It is difficult for traditional operating system to handle SMC efficiently.This paper presents a Virtual Machine (VM) based framework called CASMonitor,which can monitor the given process out of guest operating system dynamically and transparently,analyze the new code generated by SMC during runtime,for entry point detection or virus-scanning.Experiments on x86/Win32 show that it can handle various popular binary packers.

Key words: Virtual Machine(VM), Self Modifying Code(SMC), malware

摘要: 自修改代码技术是恶意程序用以防止反汇编静态分析的最常见技术。传统操作系统的恶意代码防范技术不能有效监测和防止自修改恶意代码的执行和传播。介绍了一个基于虚拟机架构对自修改代码进行监测和监控的方法CASMonitor,能够从虚拟机外部动态、透明地监控虚拟机内部指定程序的执行过程,监测代码的自修改行为,解析新生成代码的入口点,进而提供病毒扫描等功能。x86/Win32虚拟机架构下的实验表明,该技术能够处理多种自修改代码行为以及常见的加壳工具。

关键词: 虚拟机, 自修改代码, 恶意程序

京ICP备13024262号-1
Copyright © Computer Engineering and Applications
Powered by Beijing Magtech Co., Ltd.
Total visitors:
Visitors of today:
Now online: