The Research Of Code De-obfuscation Method Based On Program Slicing

With the rapid development of Internet technology,malicious code is also wantonly spread in the network,which has brought a lot of inconvenience to people's Internet life.In order to prevent security personnel from analyzing and detecting code,the writer of malicious code often uses code obfuscation technology to protect the code.Therefore,it is very important to study the code anti obfuscation technology.There are several problems in the existing code anti obfuscation method.First,the detection rate of dead code is low.Second,it is difficult to effectively detect the useless variables in the source code.Finally,most of the anti obfuscation methods are designed for a particular program language and the extensibility is poor.In this paper,a code de-obfuscation method based on program slicing is studied,which is used to detect the dead code and useless variables inserted in the source code.The main contents of this paper are as follows:(1)a dead code detection method based on program slicing is proposed.Combining static analysis and dynamic analysis technology,we detect two kinds of dead codes,irrelevant codes and unreachable codes that may exist in source code.(2)An unused variable detection method based on variable distance graph is proposed.We use the intermediate results of slice analysis to build variable distance graph,and calculate the distance of variables on the graph,compare with the preset distance threshold,and detect useless variables in source code.(3)A framework of dead code detection system based on LLVM compiler framework is designed to detect the dead code inserted in the obfuscation code.The experimental results show that:(1)the dead code detection method based on the program slicing has a higher detection rate than the existing detection method.(2)The useless variable detection method based on the variable distance graph can effectively detect the useless variables in the source code.(3)The dead code detection framework designed in this paper uses LLVM IR to transform the front-end language in a unified way,and has certain extensibility.