摘要： 在恶意代码自动分析系统中，对恶意样本进行文件格式检查，并判断其是否被加壳是对其进行自动分析的第一步。为了对加壳PE可执行文件实现更加准确的识别，提出一个基于文件头和部分文件内容的PE文件加壳检测规则(NFPS)。通过提取PE文件中5个方面的特征值，并按照NFPS规则进行计算，即可判定PE文件是否被加壳。经测试，其检测率高达95%以上，并支持多层壳的循环检测。

关键词: 恶意代码, PE文件, 加壳

Abstract: In the automatic malicious code analysis system, the first step is the file format analysis of malicious code and detect whether it is packed. For detecting the packed PE files more accurately, NFPS, which is a packed PE file detection rule based on the file header and many parts of content, is proposed. Through extracting five characteristics of PE files and calculating them based on NFPS rule, it can detect the packed PE files accurately. Through the test, the rate of detection accuracy of NFPS can reach more than 95%, and it can support loop detection of multilayer packed PE files.

Key words: malicious code, PE file, pack

中图分类号: 

• TP309.2