Eureka AIR delivers breakthrough ideas for toughest innovation challenges, trusted by R&D personnel around the world.

Self-modifying code identification method based on hardware emulator

An identification method and simulator technology, applied in the field of self-modifying code identification based on hardware simulators, can solve the problems of static analysis method analysis capability constraints, static binary representation inconsistency, static analysis powerlessness, etc., to resist detection and improve transparency. , the effect of improving analysis efficiency

Active Publication Date: 2009-06-17
INST OF SOFTWARE - CHINESE ACAD OF SCI
View PDF0 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, with the increasing perfection and widespread use of anti-reverse analysis techniques such as SMC, the analysis ability of static analysis methods is subject to more and more constraints.
For the code protected by SMC technology, the actual executed code is often inconsistent with the static binary representation, so static analysis is almost powerless

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Self-modifying code identification method based on hardware emulator
  • Self-modifying code identification method based on hardware emulator
  • Self-modifying code identification method based on hardware emulator

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] The technical content of the present invention will be further described below in conjunction with the accompanying drawings.

[0027] refer to figure 1 , the present invention expands the translation code block of the hardware simulator system into a cache area of ​​the translation code block, and adds a shadow memory in the hardware simulator; when the program is running, intercepts the virtual system command to obtain the data information of the analysis target. Perform dynamic analysis on executable files in the modified hardware simulator, and identify and extract codes that are dynamically released into memory and executed during program execution by monitoring information such as memory write operations and control transfer instructions during program execution. Finally, using the control jump and other information obtained during the dynamic analysis process, the extracted code is restored to the original executable file, and a complete binary file with the same...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention belongs to the technical field of software security measurement and evaluation, especially relates to a self-modifying code recognition method based on a hardware simulator. The invention is provided with a marker in the hardware simulator in order to only execute a target executable file by one step and capture a virtual system execute instruction, the information in the process can be executed by using a shadow memory monitoring program, the code which is dynamically released into the memory and is executed can be recognized and executed in the course of program execution, so that data information of the analysis target can be acquired. The data acquisition of the invention is implemented by the simulation hardware, is not executed by placing the malevolence code on a true CPU, so the actual system can not be affected. The invention adopts the hardware simulator as a dynamic analysis platform, which can improve the transparency between the analysis platform and the code and can effectively defend against the detection of the code.

Description

technical field [0001] The invention belongs to the technical field of software safety evaluation, and in particular relates to a hardware simulator-based self-modifying code identification method. Background technique [0002] Self-modifying code (Self-Modifying Code, SMC) means that the code intentionally modifies its own code during execution, so that the actual running code is different from the static binary representation before execution, so as to hide information such as instructions and program execution flow. [0003] SMC is one of the technologies that can effectively resist static reverse analysis. It is widely used in the fields of software protection and malicious code. Increase the difficulty of reverse analysts' program analysis and understanding of protected code. [0004] Compared with the dynamic analysis method, the static analysis method has obvious advantages in terms of analysis comprehensiveness, etc., and it is still the most important code analysis...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F9/45G06F21/22G06F21/14
Inventor 王祥根苏璞睿司端锋冯登国
Owner INST OF SOFTWARE - CHINESE ACAD OF SCI
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Eureka Blog
Learn More
PatSnap group products