Abstract:
To extract API-calling behaviors from malware and their variants effectively, this paper proposes an approach to statically detect the obfuscated API-calling behaviors in Windows platform. In this approach, instruction pattern matching is used to recognize the special calling manner. The relationship between the targets of call instructions and the name strings of API functions is analyzed to identify which API function is called actually. Experimental results show that using this approach can improve detection ability of static analysis tools through static analysis.
Key words:
malware,
static analysis,
obfuscated API-calling,
pattern match
摘要:
为有效提取恶意程序及其变种中的隐式API调用行为,提出一种基于静态分析的隐式API调用行为检测方法。采用指令模板匹配的方法识别具体调用形式,通过分析调用目标地址与函数名之间的关系来识别被调用API函数。实验结果表明,该方法能提高静态分析工具对恶意代码及其变体的检测能力。
关键词:
恶意代码,
静态分析,
隐式API调用,
模板匹配
CLC Number:
FU Wen, DIAO Rong-Cai, LONG Jian-Min, WANG Cheng. Static Detection Method for Obfuscated API-calling Behavior[J]. Computer Engineering, 2010, 36(14): 108-110.
付文, 赵荣彩, 庞建民, 王成. 隐式API调用行为的静态检测方法[J]. 计算机工程, 2010, 36(14): 108-110.