Research And Application On Automatic Acquisition Technology Of Malicious Code Behavior

The malicious code,running on Windows operating system,such as computer viruses,trojans,worms and so on,complete the operation usually by calling the Win32 API interface that Win32 subsystem-environment providing.With the help of reverse engineering or debugger tools,Anti-virus expert can record the Win32 API calls and their parameters manually when the software is running and abstract it’s behavior features through some rules to determine whether the software is malicious code.The problem that how to make the manual analysis automated to complete the detection of malicious code has become a hot field in anti-malware research.Malicious code automatelly analysis mainly consists of two key technologies : first,how to extract the information about API and parameter of malicious code;second,what kind of rule to show the malicious code behavior.The thesis present an automatic technique to overcome these problem,the main work and contributions as following:1.The system used QEMU which is an open-source full-system emulator as the monitoring platform,then monitored the unknown software by modifying QEMU in order to generate an execution trace listing all invoked system calls and their parameters;at last,made use of the remote procedure call protocol and inter-process communication to exchange data with the external components of QEMU,completed the automatic analysis of unknown software,this method can effectively avoid the anti-debugging and encryption techniques of malicious code.2.The thesis proposed a new method that using the dynamic taint analysis technique to associate the API sequence of target program.First,made the function parameters whose types are handle,string,buffer and the network data as tainted source;Second,used QEMU dynamic binary translation theory to develop the propagating rules of API layer and instruction layer;Third,extracted the operation dependencies between API calls by record the propagating path of tainted source,so as to provide the relevant data for extracting the typical behavior features of target program and building behavior library.Experimental results indicate that the tool can complete automated analysis of malicious and be effective in extracting behaviors features of the target program.Compared to the other similar tools,our tool can achieve real-time dynamic monitoring and the dependencies between the calling function automatically build.