Abstract: Much of unknown malware comes from transformed known malware. This paper proposes a complete normalization scheme to resolve the common transforming methods, including identical instructions substitution, garbage code insertion and code reordering. It implements a prototype system and a test to the system is conducted using Win32.Evol, a typical metamorphic virus. It makes a useful attempt to adopt normalization to detect metamorphic malware.

Key words: metamorphic malware, normalization, malware detection

摘要： 许多未知恶意代码是由已知恶意代码变形而来。该文针对恶意代码常用的变形技术，包括等价指令替换、插入垃圾代码和指令重排，提出完整的归一化方案，以典型的变形病毒Win32.Evol对原型系统进行测试，是采用归一化思想检测变形恶意代码方面的有益尝试。

关键词: 变形恶意代码, 归一化, 恶意代码检测

CLC Number: 

• TP309