计算机工程 ›› 2009, Vol. 35 ›› Issue (2): 15-17.doi: 10.3969/j.issn.1000-3428.2009.02.006

• 软件技术与数据库 • 上一篇    下一篇

可执行文件中子程序异常返回的识别

张一弛,庞建民,赵荣彩,韩小素   

  1. (解放军信息工程大学信息工程学院,郑州 450002)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2009-01-20 发布日期:2009-01-20

Identification of Exception Return in Subroutine of Executable File

ZHANG Yi-chi, PANG Jian-min, ZHAO Rong-cai, HAN Xiao-su   

  1. (Institute of Information Engineering, PLA Information Engineering University, Zhengzhou 450002)
  • Received:1900-01-01 Revised:1900-01-01 Online:2009-01-20 Published:2009-01-20

摘要: 针对子程序异常返回对反汇编操作的干扰,提出一种能够有效对抗该技术的反汇编算法。该算法通过2遍解码流程对目标可执行程序进行扫描,模拟代码执行过程中对内存栈的操作,从而正确解码出经过混淆处理的可执行程序。通过与2款常用反汇编器IDAPro和OBJDump的反汇编结果进行比较,证明该算法能够有效地识别出子程序异常返回的情况,从而有效提高反汇编的正确率。

关键词: 反汇编, 代码混淆, 恶意程序

Abstract: Malware writers make use of exception return of subroutine to evade detecting by malware detectors. To crack the technique, this paper proposes a novel disassembly algorithm. This algorithm decodes an executable file twice and emulates the operations on memory stack. Through this twice-decoding and emulation process, this algorithm can be used to recognize exception returns and thus ensure the correctness of a decoding process. Compared with two commonly used disassemblers IDAPro and OBJDump, this algorithm is better at identifying this kind of exception and improves the rate of disassembly.

Key words: disassembly, code obfuscation, malware

中图分类号: