A Function Call Graph Extraction Method Combining Static and Dynamic Analysis

doi:10.3969/j.issn.1000-3428.2017.03.027

Abstract

Abstract: Extracting a complete and accurate function call graph is the foundation of malware similarity analysis based on function call graph.This paper proposes a malware function call graph extraction method which integrates both dynamic and static analysis methods.It extracts executable path of malicious programs on the basis of static disassembly,and an active discovery strategy of hidden information is used to find out the hidden instructions and function calls in the malware.A dynamic feedback mechanism is used to ensure the information synchronization during the process of static and dynamic analysis.The experimental results show that the proposed method can deal with all kinds of reverse analysis technologies and extract a complete and accurate function call graph from malwares.

Key words: malware, function call graph, control flow graph, static analysis, dynamic analysis

摘要： 完整准确地提取函数调用图是基于函数调用图进行恶意程序相似性分析的基础。为此,提出一种动静结合的恶意程序函数调用图提取方法。在对程序进行静态反汇编的基础上抽取恶意程序的可执行路径,使用隐藏信息主动发现策略找出恶意程序中隐藏的指令和函数调用,采用动态反馈机制完成动静结合分析过程中的信息同步。实验结果表明,该方法能够有效应对各种恶意程序反分析技术,完整准确地提取出恶意程序的函数调用图。

关键词: 恶意程序, 函数调用图, 控制流图, 静态分析, 动态分析

CLC Number:

TP309

SUN He,WU Lifa,HONG Zheng,YAN Huiying,ZHANG Yafeng. A Function Call Graph Extraction Method Combining Static and Dynamic Analysis[J]. Computer Engineering, doi: 10.3969/j.issn.1000-3428.2017.03.027.

孙贺,吴礼发,洪征,颜慧颖,张亚丰. 一种结合动态与静态分析的函数调用图提取方法[J]. 计算机工程, doi: 10.3969/j.issn.1000-3428.2017.03.027.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.3969/j.issn.1000-3428.2017.03.027

http://www.ecice06.com/EN/Y2017/V43/I3/154

References

参考文献［1］国家计算机网络应急技术处理协调中心.2014年中国互联网网络安全报告［M］.北京:人民邮电出版社,2014. ［2］Corp S.Symantec Global Internet Security Threat Report［EB/OL］.(2008-06-29).https://www.symantec.com/connect/downloads/symantec-global-internet-security-threat-report-trends-2008. ［3］Hu X,Chiueh T C,Shin K G.Large-scale Malware Indexing Using Function-call Graphs［C］//Proceedings of the 16th ACM Conference on Computer and Communications Security.New York,USA:ACM Press,2009:611-620. ［4］付文,赵荣彩,庞建民,等.隐式API调用行为的静态检测方法［J］.计算机工程,2010,36(14):108-110. ［5］Zhang Ruoyu,Huang Shiqiu,Qi Zhegnwei,et al.Static Program Analysis Assisted Dynamic Taint Tracking for Software Vulnerability Discovery［J］.Computers & Mathematics with Applications,2012,63(2):469-480. ［6］Moser A,Kruegel C,Kirda E.Exploring Multiple Execution Paths for Malware Analysis［C］//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2007:231-245. ［7］Royal P,Halpin M,Dagon D,et al.Polyunpack:Automating the Hidden-code Extraction of Unpack-executing Malware［C］//Proceedings of the 22nd Annual Computer Security Applications Conference.Washington D.C.,USA:IEEE Press,2006:289-300. ［8］Oberheide J,Bailey M,Jahanian F.PolyPack:An Automated Online Packing Service for Optimal Antivirus Evasion［C］//Proceedings of the 3rd USENIX Conference on Offensive Technologies.New York,USA:ACM Press,2009. ［9］Boote B.How to Write Your Own Packer［EB/OL］.［2015-05-17］.http://www.docin.com/p-707956834.html. ［10］Tan Xiaodong.Anti-unpacker Tricks in Malicious Code［C］//Proceedings of the 10th Annual AVAR International Conference.Berlin,Germany:Springer,2007:33-38. ［11］Ugarte-Pedrero X,Balzarotti D,Santos I,et al.SoK:Deep Packer Inspection:A Longitudinal Study of the Complexity of Run-time Packers［C］//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2015:659 -673. ［12］Brumley D,Hartwig C,Liang Z,et al.Automatically Identifying Trigger-based Behavior in Malware［M］.Berlin,Germany:Springer,2008. ［13］Garfinkel T,Adams K,Warfield A,et al.Compatibility Is Not Transparency:VMM Detection Myths and Realities［C］//Proceedings of the 11th Workshop on Hot Topics in Operating Systems.New York,USA:ACM Press,2007:6. ［14］王志,贾春福,鲁凯.基于环境敏感分析的恶意代码脱壳方法［J］.计算机学报,2012,35(4):693-702. ［15］Xie Peidai,Lu Xicheng,Wang Yongjun,et al.An Automatic Approach to Detect Anti-debugging in Malware Analysis［M］.Berlin,Germany:Springer,2013. ［16］Lee J,Kang B,Im E G.Evading Anti-debugging Techniques with Binary Substitution［J］.International Journal of Security & Its Applications,2014,8(1):183-192. ［17］Shang Shanhu,Zheng Ning,Xu Jian,et al.Detecting Malware Variants via Function-call Graph Similar-ity［C］//Proceedings of the 5th International Conference on Malicious and Unwanted Software.Washington D.C.,USA:IEEE Press,2010:113- 120. ［18］Xu Ming,Wu Lingfen,Qi Shuhui,et al.A Similarity Metric Method of Obfuscated Malware Using Function-call Graph［J］.Journal of Computer Virology and Hacking Techniques,2013,9(1):35-47. ［19］刘星,唐勇.恶意代码的函数调用图相似性分析［J］. 计算机工程与科学,2014,36(3):481-486. 编辑陆燕菲

[1]	LI Chenxi, REN Jianguo. Malware Propagation Model Based on Feedback Mechanism in Point-to-Group Networks [J]. Computer Engineering, 2023, 49(1): 163-172.
[2]	LI Feng, SHU Fei, LI Mingxuan, WANG Bin, YANG Huiting. Detection of Remote Access Trojan in Linux Based on Deep Learning [J]. Computer Engineering, 2020, 46(7): 159-164.
[3]	ZENG Yaqin, ZHANG Linlin, ZHANG Ruonan, YANG Bo. Malware Family Classification Model Based on MobileNet [J]. Computer Engineering, 2020, 46(4): 162-168.
[4]	GE Wenqi, YANG Qing, LIAO Junguo, HE Yuxuan. Research on Android Malware Detection System Using Deep Learning Based on Feature Weighting [J]. Computer Engineering, 2020, 46(11): 174-180.
[5]	ZHANG Jinglian, PENG Yanbing. Research on Malware Code Classification Based on Features Fusion [J]. Computer Engineering, 2019, 45(8): 281-286,295.
[6]	MA Futian,QIAN Xuezhong,SONG Wei. An Automated Cross-site Scripting Loopholes Discovery Model [J]. Computer Engineering, 2018, 44(8): 167-173.
[7]	CHEN Zheng,FANG Yong,LIU Liang,ZUO Zheng. Ransomware Detection Method Based on Dynamic Symbol Execution [J]. Computer Engineering, 2018, 44(6): 104-110.
[8]	CHEN Jian,SHEN Xiaojun,YAO Yiyang,XING Yafei,JU Xiaoming. Error Detection Algorithm for Pure Software Signature Based on Table-driven [J]. Computer Engineering, 2018, 44(4): 187-192.
[9]	XIE Jiayun,FU Xiao,LUO Bin. Research Progress of Android Protection Technology [J]. Computer Engineering, 2018, 44(2): 163-170,176.
[10]	QIN Zhenhua,MU Yongmin. Automatic Calculation Method of Ring Complexity for C Program [J]. Computer Engineering, 2018, 44(12): 102-107,114.
[11]	GU Jiateng,XIN Yang. XSS Vulnerability Detection Model Based on Dynamic Analysis [J]. Computer Engineering, 2018, 44(10): 34-41.
[12]	ZHANG Lu,MAO Weiwei,LIANG Qing,ZHOU Feng. Research on Control of Crus Vibration Attenuation for Biped Robots [J]. Computer Engineering, 2018, 44(1): 30-34,43.
[13]	REN Zhuojun,CHEN Guang. Application of Entropy Visualization Method in Malware Classification [J]. Computer Engineering, 2017, 43(9): 167-171.
[14]	HOU Xiaojing,JI Mengluo,HUANG Chenlin,SHU Yunxing,YAN Ben. Automatic WECT Analysis Method of Program Mode for Real-time Control System [J]. Computer Engineering, 2017, 43(8): 56-62,68.
[15]	WU Xingru,HE Yongzhong. Android Repackaged Application Detection Based on Function Call Graph [J]. Computer Engineering, 2017, 43(11): 122-127,139.

Please choose a citation manager

Content to export