自修改代码逆向分析方法研究
|
摘要
恶意代码(Malicious code,Malware)已成为互联网安全的主要威胁。随着计算机的普及和互联网的发展,恶意代码造成的危害也越来越严重。为了提高对恶意代码造成的网络攻击的应急响应速度,我们必须对恶意代码做出快速有效的分析。恶意代码分析的目的是提取恶意代码执行时表现出的行为(runtimebehavior)、解析其意图及其实现机理,为恶意代码的检测和清除提供参考。而恶意代码作者为了对恶意代码进行保护,加大恶意代码分析的难度,往往通过加密、变形和加壳等多种技术手段隐藏自身代码特征,阻碍恶意代码机理分析和特征提取,躲避恶意代码检测。传统分析方法难以有效解决针对受保护的恶意代码的分析问题。
针对恶意代码分析与软件安全测评等业务的需要,本文重点分析了典型恶意代码软件保护关键技术以及恶意代码分析技术的最新进展,深入研究了典型自修改代码(Self-Modifying Code,SMC)的实现机理,在此基础上,针对典型SMC提出了一种基于硬件模拟器的逆向分析方法,取得以下几个方面的研究成果:
(1)深入分析了典型SMC的实现机理,并初步建立了SMC模型。我们根据动态生成代码的生成方式、修改模式以及存储模式等因素,首次对SMC作了初步的分类和建模,为后续的SMC分析方法奠定了基础。
(2)提出了一种基于硬件模拟器的可执行文件中动态生成代码的识别与提取方法。本方法通过在模拟器中单步执行目标可执行文件,并通过截获虚拟系统执行指令,使用影子内存监控程序执行过程中的内存写操作以及控制转移指令等信息,识别提取程序执行过程中动态释放到内存中并得到执行的代码,获取分析目标的数据信息。由于在硬件模拟器中对可执行文件进行动态分析,数据采集是通过模拟硬件实现,而不是将恶意代码放在真实的CPU上执行,因此对实际系统不造成任何影响。
(3)提出了一种基于硬件模拟器的动态链接库中动态生成代码的识别与提取方法。本方法在模拟器中使用动态链接库加载程序引导加载动态链接库,设置单步执行标志,仅使目标动态链接库文件中的指令在模拟器中单步执行,通过触发动态链接库中入口点等函数的执行,并通过截获虚拟系统执行指令,使用影子内存监控动态链接库中代码执行过程中的内存写操作以及控制转移指令等信息,识别提取其执行过程中动态释放到内存中并得到执行的代码,获取分析目标的数据信息。
(4)提出一种基于二进制文件重构的自修改代码分析方法。我们针对不同类型的SMC提出了相应的重构方法,即在不改变其代码行为的前提下将提取的动态生成代码恢复到原二进制文件中,生成完整的、可直接静态分析或运行的二进制文件。以此为基础,分析人员可利用传统分析方法对其进一步分析,提高了针对SMC的逆向分析能力。本方法原理简单,易实现,且具有较好的通用性,不仅适用于可执行文件,而且适用于动态链接库。
(5)提出了一种基于代码覆盖的多路径分析方法。基于代码覆盖的多路径分析方法重点解决了对循环代码的处理问题,通过标识判断条件节点,减少局部路径被重复遍历的次数,在保证分析效果的同时,提高分析系统的分析效率以及代码覆盖率。
(6)设计实现了一套SMC逆向分析原型系统,完成了SMC分析的相关实验,对文中基于二进制文件重构的自修改代码逆向分析方法的有效性,分析效率以及性能等方面进行了评估。
Malware(Malicious Code or Malicious Software) creeps into users' computers, collecting users' private information,wrecking havoc on the Interact,has become the centerpiece of most security threats on the Internet.With the popularity of computer and the development of the Internet,the damage caused by malware is also more and more serious.To enhance the emergency response speed of network attacks that malware actualized,we must analyze malware rapidly and effectively.Malware analysis is an essential technology that extracts the runtime behavior of malware,and supplies signatures to detection systems and provides evidence for recovery and cleanup.To hinder malware analysis and make the analysis more difficult,malware writers usually have their programs heavy-armored with various anti-reverse engineering techniques.Such techniques include code encryption,metamorphism and binary code packing.Unfortunately,existing techniques for detecting malware and analyzing unknown code samples are insufficient and have significant shortcomings. Existing solutions are either unable to handle novel malware samples,or vulnerable to various evasion techniques.
To meet the needs of malware analysis and security evaluation,in this paper,we analyze the key anti-reverse engineering techniques and related work of malware analysis,and the implementation mechanism of typical Self-Modifying Code(SMC) thoroughly.Then based on above analysis works and results,we propose a reverse engineering approach for typical SMC based on emulator,which is motivated by the intuition how to combine static analysis and dynamic analysis effectively.Mainly has done the following several aspect works:
First,the implementation mechanism of typical SMC is analyzed thoroughly,and a primary model of SMC is proposed.We model and classify typical SMC according to generation mode,modification mode and storage mode of dynamically generated code.The research and its application of the mechanism provide theoretical foundation and guideline for the study of the reverse engineering techniques against typical SMC.
Second,a fully dynamic approach for extracting the original hidden code (dynamically generated code) and additional information useful for further analysis of packed executable binaries is presented.In this paper,we present a binary extraction technique which is fully dynamic and thus does not depend on the program disassembly or the known signatures of packing techniques.We also show that our proposed technique can extract the original hidden code and data.In addition to extracting the hidden code,our proposed method can provide additional information on the packed executable binaries.It can identify the exact regions of memory where the hidden code and data reside.By tracking the newly-written memory areas of the program,we can distinguish newly-generated code and data at run-time from the packed executable binary,and thus obtain the exact regions of them.
Third,a fully dynamic approach for identifying and extracting dynamically generated code and additional information useful for further analysis of packed DLLs (dynamic linker libraries) is presented.In this paper,we propose a technique to extract the hidden code by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs.By monitoring all memory operations and control transfer instructions,our approach extracts the original hidden code which is written into the memory at run-time.
Fourth,a technique for reconstructing a SMC binary for static analysis is proposed.Our proposed technique constructs a binary based on the original SMC binary,the hidden codes extracted and the records of control transfers,by patching the hidden code extracted on the packed binary and restores the control transfers to generate a binary for static analysis.Our proposed technique modifies the original binary to generate equivalent static code without altering its origin program behavior. The reconstructed binaries can be successfully analyzed by static analysis tools,such as IDA Pro.
Fifth,a system by exploring multiple execution paths for malware analysis based on code coverage is proposed.Our proposed method reduces the times of some paths explored and improves the analysis efficiency and increases the coverage of malware by way of labeling control flow decision points(branching points).
Sixth,an automated framework for extracting hidden code and reconstructing SMC binaries is designed and implemented.Applying our above proposed technique, we build a framework for automatically examining SMC binaries,extracting their original hidden code and reconstructing a binary based on the extracted code and additional information.Based on the prototype,we have successfully done a series of experiments on the analysis of typical SMC binary.We also present the evaluation results of the framework,demonstrating that it is applicable to analyze typical SMC binary.
针对恶意代码分析与软件安全测评等业务的需要,本文重点分析了典型恶意代码软件保护关键技术以及恶意代码分析技术的最新进展,深入研究了典型自修改代码(Self-Modifying Code,SMC)的实现机理,在此基础上,针对典型SMC提出了一种基于硬件模拟器的逆向分析方法,取得以下几个方面的研究成果:
(1)深入分析了典型SMC的实现机理,并初步建立了SMC模型。我们根据动态生成代码的生成方式、修改模式以及存储模式等因素,首次对SMC作了初步的分类和建模,为后续的SMC分析方法奠定了基础。
(2)提出了一种基于硬件模拟器的可执行文件中动态生成代码的识别与提取方法。本方法通过在模拟器中单步执行目标可执行文件,并通过截获虚拟系统执行指令,使用影子内存监控程序执行过程中的内存写操作以及控制转移指令等信息,识别提取程序执行过程中动态释放到内存中并得到执行的代码,获取分析目标的数据信息。由于在硬件模拟器中对可执行文件进行动态分析,数据采集是通过模拟硬件实现,而不是将恶意代码放在真实的CPU上执行,因此对实际系统不造成任何影响。
(3)提出了一种基于硬件模拟器的动态链接库中动态生成代码的识别与提取方法。本方法在模拟器中使用动态链接库加载程序引导加载动态链接库,设置单步执行标志,仅使目标动态链接库文件中的指令在模拟器中单步执行,通过触发动态链接库中入口点等函数的执行,并通过截获虚拟系统执行指令,使用影子内存监控动态链接库中代码执行过程中的内存写操作以及控制转移指令等信息,识别提取其执行过程中动态释放到内存中并得到执行的代码,获取分析目标的数据信息。
(4)提出一种基于二进制文件重构的自修改代码分析方法。我们针对不同类型的SMC提出了相应的重构方法,即在不改变其代码行为的前提下将提取的动态生成代码恢复到原二进制文件中,生成完整的、可直接静态分析或运行的二进制文件。以此为基础,分析人员可利用传统分析方法对其进一步分析,提高了针对SMC的逆向分析能力。本方法原理简单,易实现,且具有较好的通用性,不仅适用于可执行文件,而且适用于动态链接库。
(5)提出了一种基于代码覆盖的多路径分析方法。基于代码覆盖的多路径分析方法重点解决了对循环代码的处理问题,通过标识判断条件节点,减少局部路径被重复遍历的次数,在保证分析效果的同时,提高分析系统的分析效率以及代码覆盖率。
(6)设计实现了一套SMC逆向分析原型系统,完成了SMC分析的相关实验,对文中基于二进制文件重构的自修改代码逆向分析方法的有效性,分析效率以及性能等方面进行了评估。
Malware(Malicious Code or Malicious Software) creeps into users' computers, collecting users' private information,wrecking havoc on the Interact,has become the centerpiece of most security threats on the Internet.With the popularity of computer and the development of the Internet,the damage caused by malware is also more and more serious.To enhance the emergency response speed of network attacks that malware actualized,we must analyze malware rapidly and effectively.Malware analysis is an essential technology that extracts the runtime behavior of malware,and supplies signatures to detection systems and provides evidence for recovery and cleanup.To hinder malware analysis and make the analysis more difficult,malware writers usually have their programs heavy-armored with various anti-reverse engineering techniques.Such techniques include code encryption,metamorphism and binary code packing.Unfortunately,existing techniques for detecting malware and analyzing unknown code samples are insufficient and have significant shortcomings. Existing solutions are either unable to handle novel malware samples,or vulnerable to various evasion techniques.
To meet the needs of malware analysis and security evaluation,in this paper,we analyze the key anti-reverse engineering techniques and related work of malware analysis,and the implementation mechanism of typical Self-Modifying Code(SMC) thoroughly.Then based on above analysis works and results,we propose a reverse engineering approach for typical SMC based on emulator,which is motivated by the intuition how to combine static analysis and dynamic analysis effectively.Mainly has done the following several aspect works:
First,the implementation mechanism of typical SMC is analyzed thoroughly,and a primary model of SMC is proposed.We model and classify typical SMC according to generation mode,modification mode and storage mode of dynamically generated code.The research and its application of the mechanism provide theoretical foundation and guideline for the study of the reverse engineering techniques against typical SMC.
Second,a fully dynamic approach for extracting the original hidden code (dynamically generated code) and additional information useful for further analysis of packed executable binaries is presented.In this paper,we present a binary extraction technique which is fully dynamic and thus does not depend on the program disassembly or the known signatures of packing techniques.We also show that our proposed technique can extract the original hidden code and data.In addition to extracting the hidden code,our proposed method can provide additional information on the packed executable binaries.It can identify the exact regions of memory where the hidden code and data reside.By tracking the newly-written memory areas of the program,we can distinguish newly-generated code and data at run-time from the packed executable binary,and thus obtain the exact regions of them.
Third,a fully dynamic approach for identifying and extracting dynamically generated code and additional information useful for further analysis of packed DLLs (dynamic linker libraries) is presented.In this paper,we propose a technique to extract the hidden code by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs.By monitoring all memory operations and control transfer instructions,our approach extracts the original hidden code which is written into the memory at run-time.
Fourth,a technique for reconstructing a SMC binary for static analysis is proposed.Our proposed technique constructs a binary based on the original SMC binary,the hidden codes extracted and the records of control transfers,by patching the hidden code extracted on the packed binary and restores the control transfers to generate a binary for static analysis.Our proposed technique modifies the original binary to generate equivalent static code without altering its origin program behavior. The reconstructed binaries can be successfully analyzed by static analysis tools,such as IDA Pro.
Fifth,a system by exploring multiple execution paths for malware analysis based on code coverage is proposed.Our proposed method reduces the times of some paths explored and improves the analysis efficiency and increases the coverage of malware by way of labeling control flow decision points(branching points).
Sixth,an automated framework for extracting hidden code and reconstructing SMC binaries is designed and implemented.Applying our above proposed technique, we build a framework for automatically examining SMC binaries,extracting their original hidden code and reconstructing a binary based on the extracted code and additional information.Based on the prototype,we have successfully done a series of experiments on the analysis of typical SMC binary.We also present the evaluation results of the framework,demonstrating that it is applicable to analyze typical SMC binary.
引文
丁昆(2008).恶意代码传播机理及其检测防御技术研究[D]:硕士.北京:北京邮电大学,1-2.
于卓.(2000).信息战与计算机网络攻防[0L].Relieved 3-28,2009,from http://it.rising.com.cn/Channels/Info/Securty/2000-08-24/967093080d5190.shtml.
文伟平(2005).恶意代码机理与防范技术研究[D]:博士.北京:中国科学院研究生院(软件研究所),1-5
王德强(2005).恶意代码设计和分析技术的研究与实现[D]:硕士.北京:清华大学,2-3.
任云韬(2007).基于二进制多态变形的恶意代码反检测技术研究[D]:硕士.西安:电子科技大学.27-36.
沈昌祥,张焕国,冯登国,等.信息安全综述[J].中国科学E辑:信息科学,2007,37(2):129-150.
邢文利(2005).恶意代码动态分析系统的设计与实现[D]:硕士.北京:清华大学,5-6.
金然,魏强,王清贤(2008).基于归一化的变形恶意代码检测[J].计算机工程,34(05):169-171.
段钢(2008).加密与解密(第三版)[M].北京,电子工业出版社.
卿斯汉,王超,何建波等(2006).即时通信蠕虫研究与发展[J].软件学报,17(10),:2118-2130.
曹跃,梁晓,李毅超等(2008).恶意代码安全虚拟执行环境研究[J].计算机科学,(01):97-99.
陶正,郭义喜(2006).防止反编译技术研究[J].北京:装甲兵工程学院学报,20(4):64-67.
戴超,庞建民,赵荣彩(2008).采用条件跳转混淆技术的恶意代码反汇编[J].计算机工程,34(08):153-155.
庞立会,胡华平(2007).恶意代码模糊变换技术研究[J].计算机工程,33(12):154-156.
苏璞睿,杨轶(2006).基于可执行文件静态分析的入侵检测模型[J].计算机学报,29(09):1572-1578.
邹宏,谢余强(2008).混淆技术研究初探[J].信息工程大学学报,(01):97-99.
Albert,D.J.and S.P.Morse(1984).Combatting Software Piracy by Encryption and Key Management[J].Computer,17(4):68-73.
Alexander,S.V.(2007).Advanced methods for detection of malicious software[D].State University of New York at Binghamton
Amit,V.(2007).Wildcat:an integrated stealth environment for dynamic malware analysis[D].University of Texas at Arlington
Amit,V.and Y.Ramesh(2006).Cobra:Fine-grained Malware Analysis using Stealth Localized-executions[C].Proceedings of the 2006 IEEE Symposium on Security and Privacy,IEEE Computer Society.264-279.
Anckaert,B.and M.Madou(2005).A Model for Self-Modifying Code[C].Proceedings of the 8th International Workshop,Information Hiding 2006,Alexandria,VA,USA,Springer Berlin/Heidelberg.4437/2007:232-248.
Andrea,L.,M.Lorenzo,et al.(2007).A Smart Fuzzer for x86 Executables[C].Proceedings of the Third International Workshop on Software Engineering for Secure Systems,IEEE Computer Society.7-7.
Andreas,M.,K.Christopher,et al.(2007).Exploring Multiple Execution Paths for Malware Analysis[C].Proceedings of the 2007 IEEE Symposium on Security and Privacy,IEEE Computer Society.231-245.
Anirban,M.and T.Clark(2006).Manufacturing opaque predicates in distributed systems for code obfuscation[C].Proceedings of the 29th Australasian Computer Science Conference-Volume 48,Hobart,Australia,Australian Computer Society,Inc.187-196.
Baowen,X.,Q.Ju,et al.(2005).A brief survey of program slicing[J].ACM SIGSOFT Software Engineering Notes,30(2):1-36.
Bergeron,J.,D.Mourad,et al.(1999).Static Analysis of Binary Code to Isolate Malicious Behaviors[C].Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises,IEEE Computer Society.184-189.
Bertrand,A.,M.Matias,et al.(2007).Program obfuscation:a quantitative approach[C].Proceedings of the 2007 ACM workshop on Quality of protection,Alexandria,Virginia,USA,ACM.15-20.
Best,R.M.(1981).Crypto microprocessor for executing enciphered programs[P].4278837.United States
Bin,F.,Golden Richard,Ⅲ,et al.(2006).Some new approaches for preventing software tampering[C].Proceedings of the 44th annual Southeast regional conference,Melbourne,Florida,ACM.655-660.
Carsten,W.,H.Thorsten,et al.(2007).Toward Automated Dynamic Malware Analysis Using CWSandbox[J].IEEE Security and Privacy,5(2):32-39.
Chenxi,W.,H.Jonathan,et al.(2000).Software Tamper Resistance:Obstructing Static Analysis of Programs[R].University of Virginia.
Christodorescu,M.,J.Kinder,et al.(2005).Malware normalization[R].Technical Report #1539.University of Wisconsin,Madison,Wisconsin,USA.
Christopher,C.and L.Peter(1996).Trace-based program analysis[C].Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages,St.Petersburg Beach,Florida,United States,ACM.195-207.
Christopher,K.,R.William,et al.(2004).Static disassembly of obfuscated binaries[C].Proceedings of the 13th conference on USENIX Security Symposium,San Diego,CA,USENIX Association.13:255-270.
Christopher,K.,R.William,et al.(2004).Detecting Kernel-Level Rootkits Through Binary Analysis[C].Proceedings of the 20th Annual Computer Security Applications Conference,IEEE Computer Society.91-100.
Collberg,C,C.Thomborson,et al.(1997).A Taxonomy of Obfuscating Transformations[R].Technical Report #148.Department of Computer Sciences.The University of Auckland
Cristina,C.and K.J.Gough(1995).Decompilation of binary programs[J].Software-Practice and Experience,25(7):811-829.
Cullen,L.and D.Saumya(2003).Obfuscation of executable code to improve resistance to static disassembly[C].Proceedings of the 10th ACM conference on Computer and communications security,Washington D.C.,USA,ACM.290-299.
Danilo,B.,M.Lorenzo,et al.(2007).Code Normalization for Self-Mutating Malware[J].IEEE Security and Privacy,5(2):46-54.
DataRescue,I.(2009).IDA Pro DisassemblerfOL].Retrieved 3-29,2009,from http://www.hex-rays.com/idapro/.
David,A.(1996).Tamper Resistant Software:An Implementation[C].Proceedings of the First International Workshop on Information Hiding,Springer-Verlag.317-333.
David,G.(1969).CIL:Compiler Implementation Language[R].Stanford University.
David,W.and D.Drew(2001).Intrusion Detection via Static Analysis[C].Proceedings of the 2001 IEEE Symposium on Security and Privacy,IEEE Computer Society.156-168.
Drake,C.N.(1999).Computer software authentication,protection,and security system[P].6006328.United States:Drake,Christopher N.(GB)
Dux,B.,A.Iyer,et al.(2005).Visualizing the Behavior of Dynamically Modifiable Code[C].Proceedings of 13th International Workshop on Program Comprehension,St.Louis,MO,USA,IEEE Computer Society.337-340.
Ed,S.and Z.Lenny(2003).Malware:Fighting Malicious Code[M],Prentice Hall PTR.
Engin,U.and K.Sarfraz(2006).Program slicing for declarative models[J].ACM SIGSOFT Software Engineering Notes,31(6):1-2.
Fabrice,B.(2005).QEMU,a fast and portable dynamic translator[C].Proceedings of the annual conference on USENIX Annual Technical Conference,Anaheim,CA,USENIX Association.41-46.
Feng,Q.,W.Cheng,et al.(2006).LIFT:A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks[C].Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture,IEEE Computer Society.135-148.
Ferrie,P.(2007).Attacks on More Virtual Machine Emulators[R].
Frederick,B.C.(1993).Operating system protection through program evolution[J].Computers & Security,12(6):565-584.
Fritz,H.(1998).Time Limited Blackbox Security:Protecting Mobile Agents From Malicious Hosts[C].Mobile Agents and Security,Springer-Verlag.92-113.
Gary,M.and M.Greg(2000).Attacking Malicious Code:A Report to the Infosec Research Council[J].IEEE Software,17(5):33-41.
Gigapede.(2009).OllyDbg Plugins:OllyDump v2.21[OL].Retrieved 3-29,2009,from http://www.openrce.org/downloads/details/108/OllyDump.
Gregor,S.,R.Torsten,et al.(2006).Efficient path conditions in dependence graphs for software safety analysis[J].ACM Transactions on Software Engineering and Methodology,15(4):410-457.
Grimes,R.A.(2001).Malicious Mobile Code,Virus Protection for Windows[M],O'Reilly Media,Inc.
Hampson,B.E.(1989).Digital computer system for executing encrypted programs[P].4847902 United States Prime Computer,Inc.(Natick,MA)
Heng,Y.,S.Dawn,et al.(2007).Panorama:capturing system-wide information flow for malware detection and analysis[C].Proceedings of the 14th ACM conference on Computer and communications security,Alexandria,Virginia,USA,ACM.116-127.
Hilmi,O.,T.N.Vijaykumar,et al.(2006).SmashGuard:A Hardware Solution to Prevent Security Attacks on the Function Return Address[J].IEEE Trans.Comput,55(10):1271-1285.
Hiralal,A.and R.H.Joseph(1990).Dynamic program slicing[C].Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation,White Plains,New York,United States,ACM.246-256.
HIROYUKI,I.,S.KAZUO,et al.(2000).Tamper Resistant Technology for Software[R].(in Japanese).
Hongxu,C,S.Zhong,et al.(2007).Certified self-modifying code[C].Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation,San Diego,California,USA,ACM.66-77.
Horwitz,S.,T.Reps,et al.(1988).Interprocedural slicing using dependence graphs[C].Proceedings of the ACM SIGPLAN 1988 conference on Programming Language design and Implementation,Atlanta,Georgia,United States,ACM.35-46.
Huang,Y.L.,F.S.Ho,et al.(2006).A control flow obfuscation method to discourage malicious tampering of software codes[C].Proceedings of the 2006 ACM Symposium on Information,computer and communications security,Taipei,Taiwan,ACM.362-362.
Isabella,M.and Z.Damiano(2008).Data dependencies and program slicing:from syntax to abstract semantics[C].Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation,San Francisco,California,USA,ACM.125-134.
James,C,L.Wanchun,et al.(2007).Dytan:a generic dynamic taint analysis framework[C].Proceedings of the 2007 international symposium on Software testing and analysis,London,United Kingdom,ACM.196-206.
James,C.K.(1976).Symbolic execution and program testing[J].Commun.ACM,19(7):385-394.
James,R.L.and B.Thomas(1994).Rewriting executable files to measure program behavior[J].Software-Practice and Experience,24(2):197-218.
Jason,R.and L.Eric(2007).Deobfuscator:An Automated Approach to the Identification and Removal of Code Obfuscation[C].Proceedings of the 14th Working Conference on Reverse Engineering,IEEE Computer Society.275-276.
Jaydeep,M.,M.Frank,et al.(2003).METRIC:tracking down inefficiencies in the memory hierarchy via binary rewriting[C].Proceedings of the international symposium on Code generation and optimization:feedback-directed and runtime optimization,San Francisco,California,IEEE Computer Society.289-300.
Jedidiah,R.C,W.Gary,et al.(2006).Temporal search:detecting hidden malware timebombs with virtual machines[J].ACM SIGPLAN Notices,41(11):25-36.
Jesse,C.R.,I.K.Roger,et al.(2003).Detection of injected,dynamically generated,and obfuscated malicious code[C].Proceedings of the 2003 ACM workshop on Rapid malcode,Washington,DC,USA,ACM.76-82.
Jia,Z.,G Yuntao,et al.(2008).AMCAS:An Automatic Malicious Code Analysis System[C].Proceedings of the 2008 The Ninth International Conference on Web-Age Information Management,IEEE Computer Society.0:501-507.
Jim,C,G.Tal,et al.(2008).Decoupling dynamic program analysis from execution in virtual environments[C].USENIX 2008 Annual Technical Conference on Annual Technical Conference,Boston,Massachusetts,USENIX Association.1-14.
Jing,Y.,Z.Shukang,et al.(2006).Dimension:an instrumentation tool for virtual execution environments[C].Proceedings of the 2nd international conference on Virtual execution environments,Ottawa,Ontario,Canada,ACM.164-174.
Jingbo,Z.,Z.Rongcai,et al.(2008).Formal Abstraction of Semantics for Detecting Malicious Code[C].Proceedings of the 2008 International Conference on Computer Science and Software Engineering,IEEE Computer Society.02:350-353.
Jingfei,K.,C.Z.Cliff,et al.(2006).Improving software security via runtime instruction-level taint checking[C].Proceedings of the 1st workshop on Architectural and system support for improving software dependability,San Jose,California,ACM.18-24.
Jonathon,T.G,J.Somesh,et al.(2002).Detecting Manipulated Remote Call Streams[C].Proceedings of the 11th USENIX Security Symposium,USENIX Association.61-79.
Joy,K.(2007).Handling self-modifying code using software dynamic translation[C].Proceedings of the 2007 conference on Diversity in computing,Orlando,Florida,ACM.32-32.
Kanzaki,Y.,A.Monden,et al.(2003).Exploiting Self-Modification Mechanism for Program Protection[C].Proceedings of the 27th Computer Software and Applications Conference,Annual International,IEEE Computer Society.170-179.
Kanzaki,Y.,A.Monden,et al.(2006).A Software Protection Method Based on Instruction Camouflage[J].Electronics and Communications in Japan,Part 3,89(1):47-59.
Kanzaki,Y,A.Monden,et al.(2008).Program Camouflage:A Systematic Instruction Hiding Method for Protecting Secrets[C].Proceeding of World Congress on Science,Engineering and Technology,Heidelberg,Germany.33:557-563.
Khedker,U.(2006).Static analysis of programs:A heap centric view[J].SEFM 2006:Fourth IEEE International Conference on Software Engineering and Formal Methods,Proceedings:261-261.
kos,K.,J.Judit,et al.(2005).Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables[J].Software Quality Control,13(3):227-245.
Kun,Z.,Z.Tao,et al.(2006).Memory Protection through Dynamic Access Control[C].Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture,IEEE Computer Society.123-134.
Lap Chung,L.and C.Tzi-cker(2006).A General Dynamic Information Flow Tracking Framework for Security Applications[C].Proceedings of the 22nd Annual Computer Security Applications Conference,IEEE Computer Society.463-472.
Lorenzo,M.,S.Elizabeth,et al.(2008).A Layered Architecture for Detecting Malicious Behaviors[C].Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection,Cambridge,MA,USA,Springer-Verlag.78-97.
Manuel,E.,K.Christopher,et al.(2007).Dynamic spyware analysis[C].2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference,Santa Clara,CA,USENIX Association.1-14.
Marco,C,F.Viktoria,et al.(2006).Static Detection of Vulnerabilities in x86 Executables[C].Proceedings of the 22nd Annual Computer Security Applications Conference,IEEE Computer Society.269-278.
Mariano,C,P.Massimiliano Di,et al.(2008).Towards experimental evaluation of code obfuscation techniques[C].Proceedings of the 4th ACM workshop on Quality of protection,Alexandria,Virginia,USA,ACM.39-46.
Mark,W.(1981).Program slicing[C].Proceedings of the 5th international conference on Software engineering,San Diego,California,United States,IEEE Press.439-449.
Mark,W.(1982).Programmers use slices when debugging[J].Commun.ACM,25(7):446-452.
Martignoni,L.,M.Christodorescu,et al.(2007).OmniUnpack:Fast,Generic,and Safe Unpacking of Malware[C].Computer Security Applications Conference,2007,IEEE Computer Society.431-441.
Matias,M.,A.Bertrand,et al.(2005).Hybrid static-dynamic attacks against software protection mechanisms[C].Proceedings of the 5th ACM workshop on Digital rights management,Alexandria,VA,USA,ACM.75-82.
Michael,N.G,T.Stephen,et al.(2007).Software Protection through Anti-Debugging[J].IEEE Security and Privacy,5(3):82-84.
Michael,W.,S.Matthew,et al.(2002).A Toolkit for Detecting and Analyzing Malicious Software[C].Proceedings of the 18th Annual Computer Security Applications Conference,IEEE Computer Society.423-423.
Mihai,C,K.Nicholas,et al.(2005).String analysis for x86 binaries[C].Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering,Lisbon,Portugal,ACM.88-95.
Mihai,C.and J.Somesh(2003).Static analysis of executables to detect malicious patterns[C].Proceedings of the 12th conference on USENIX Security Symposium,Washington,DC,USENIX Association.12:169-186.
Mihai,C.and J.Somesh(2004).Testing malware detectors[J].ACM SIGSOFT Software Engineering Notes,29(4):34-44.
Mihai,C,J.Somesh,et al.(2008).Mining specifications of malicious behavior[C].Proceedings of the 1st conference on India software engineering conference,Hyderabad,India,ACM.5-14.
Mihai,C,J.Somesh,et al.(2005).Semantics-Aware Malware Detection[C].Proceedings of the 2005 IEEE Symposium on Security and Privacy,IEEE Computer Society.32-46.
Mila Dalla,P.,C.Mihai,et al.(2007).A semantics-based approach to malware detection[C].Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages,Nice,France,ACM.377-388.
Min Gyung,K.,P.Pongsin,et al.(2007).Renovo:a hidden code extractor for packed executables[C].Proceedings of the 2007 ACM workshop on Recurring malcode,Alexandria,Virginia,USA,ACM.46-53.
Monirul,S.,Y.Vinod,et al.(2008).Eureka:A Framework for Enabling Static Malware Analysis[C].Proceedings of the 13 th European Symposium on Research in Computer Security:Computer Security,Spain,Springer-Verlag.481-500.
Moser,A.,C.Kruegel,et al.(2007).Limits of static analysis for malware detection[J].Twenty-Third Annual Computer Security Applications Conference,Proceedings:421-430.
Nachenberg,C.(1996).Understanding and Managing Polymorphic Viruses[OL].Retrieved 3-29,2009,from http://vx.netlux.org/lib/static/vdat/epunders.htm.
Newsome,J.and D.Song(2005).Dynamic Taint Analysis:Automatic Detection,Analysis,and Signature Generation of Exploit Attacks on Commodity Software[C].Proceedings of tthe 12 th Network and Distributed Systems Security Symposium.
Nicholas,N.and S.Julian(2007).How to shadow every byte of memory used by a program[C].Proceedings of the 3rd international conference on Virtual execution environments,San Diego,California,USA,ACM.65-74.
Nicholas,N.and S.Julian(2007).Valgrind:a framework for heavyweight dynamic binary instrumentation[J].ACM SIGPLAN Notices,42(6):89-100.
Organization,U.(2009).UPX[OL].Retrieved 3-28,2009,from http://upx.org/.
Patrick,C.and C.Radhia(1977).Abstract interpretation:a unified lattice model for static analysis of programs by construction or approximation of fixpoints[C].Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages,Los Angeles,California,ACM.238-252.
Paul,R.,H.Mitch,et al.(2006).PolyUnpack:Automating the Hidden-Code Extraction of Unpack-Executing Malware[C].Proceedings of the 22nd Annual Computer Security Applications Conference,IEEE Computer Society.289-300.
Peter,S.(2005).The Art of Computer Virus Research and Defense[M],Addison-Wesley Professional.
Pietrek,M.(1994).Peering Inside the PE:A Tour of the Win32 Portable Executable File Format.MSDN Magazine.
Pietrek,M.(2002).Inside Windows:An In-Depth Look into the Win32 Portable Executable File Format.MSDN Magazine.
Prasad,M.and T.-c.Chiueh(2003).A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks[C].Proceedings of the USENIX Annual Technical Conference.211-224.
Prateek,S.,R.Sekar,et al.(2008).Efficient fine-grained binary instrumentation with applications to taint-tracking[C].Proceedings of the sixth annual IEEE/ACM international symposium on Code generation and optimization,Boston,MA,USA,ACM.74-83.
Robert,L.and H.James(2007).Using Entropy Analysis to Find Encrypted and Packed Malware[J].IEEE Security and Privacy,5(2):40-45.
Roberto,P.,L.Andrea,et al.(2008).Classification of packed executables for accurate computer virus detection[J].Pattern Recognition Letters,29(14):1941-1946.
Roberto,P.,L.Andrea,et al.(2008).McBoost:Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables[C].Proceedings of the 2008 Annual Computer Security Applications Conference,IEEE Computer Society.301-310.
Sandeep,B.,C.D.Daniel,et al.(2003).Address obfuscation:an efficient approach to combat a board range of memory error exploits[C].Proceedings of the 12th conference on USENIX Security Symposium,Washington,DC,USENIX Association.12:8-8.
Sanjay,B.,C.Wen-Ke,et al.(2006).Framework for instruction-level tracing and analysis of program executions[C].Proceedings of the 2nd international conference on Virtual execution environments,Ottawa,Ontario,Canada,ACM.154-163.
Saurabh,S.,H.Mary Jean,et al.(1999).System-dependence-graph-based slicing of programs with arbitrary interprocedural control flow[C].Proceedings of the 21st international conference on Software engineering,Los Angeles,California,United States,ACM.432-441.
Saurabh,S.,H.Mary Jean,et al.(2001).Interprocedural control dependence[J].ACM Transactions on Software Engineering and Methodology,10(2):209-254.
Schwarz,B.,S.Debray,et al.(2002).Disassembly of Executable Code Revisited[C].Proceedings of the Ninth Working Conference on Reverse Engineering(WCRE'02),IEEE Computer Society.45-45.
SOFTWARE,A.(2008).ASPackfOL].Retrieved 3-29,2009,from http://www.aspack.com/.
Software,A.(2009).ASProtect[OL].Retrieved 3-28,2009,from http://www.aspack.com/.
Stanley,C,G.Yuan,et al.(2001).An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs[C].Proceedings of the 4th International Conference on Information Security,Springer-Verlag.144-155.
Suan Hsi,Y.and H.Susan(2005).Using Static Analysis to Reduce Dynamic Analysis Overhead[J].Formal Methods in System Design,27(3):313-334.
Suh,G.E.,W.L.Jae,et al.(2004).Secure program execution via dynamic information flow tracking[C].Proceedings of the 11th international conference on Architectural support for programming languages and operating systems,Boston,MA,USA,ACM.85-96.
Susan,H.,R.Thomas,et al.(2004).Interprocedural slicing using dependence graphs[J].ACM SIGPLAN Notices,39(4):229-243.
Susanta,N.,L.Wei,et al.(2006).BIRD:Binary Interpretation using Runtime Disassembly[C].Proceedings of the International Symposium on Code Generation and Optimization,IEEE Computer Society.358-370.
Suslikov,E.(2009).HIEW v.8.0[OL].Retrieved 3-29,2009,from http://www.hiew.ru/.
Tankut,A.,J.M.Vincent,Ⅲ,et al.(2004).A Fast Assembly Level Reverse Execution Method via Dynamic Slicing[C].Proceedings of the 26th International Conference on Software Engineering,IEEE Computer Society.522-531.
Ted,R.,V.Geoff,et al.(1997).Instrumentation and optimization of Win32/intel executables using Etch[C].Proceedings of the USENIX Windows NT Workshop on The USENIX Windows NT Workshop 1997,Seattle,Washington,USENIX Association.1-7.
URSoftware.(2009).W32DASM 8.94[OL].Retrieved 3-29,2009,from http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/WDAS M.shtml.
Vigna,G.(2007).Static disassembly and code analysis[J].Malware Detection:19-41.
Wei,Y,Z.Zheng,et al.(2008).Revealing Packed Malware[J].IEEE Security and Privacy,6(5):65-69.
Wen,R,P.Jianmin,et al.(2008).Static Detection of API-Calling Behavior from Malicious Binary Executables[C].Proceedings of the 2008 International Conference on Computer and Electrical Engineering,IEEE Computer Society.388-392.
Winnie,C,Z.Qin,et al.(2006).TaintTrace:Efficient Flow Tracing with Dynamic Binary Rewriting[C].Proceedings of the 11th IEEE Symposium on Computers and Communications,IEEE Computer Society.749-754.
Wroblewski,G.(2002).General Method of Program Code Obfuscation[R].Wroclaw University of Technology,Institute of Engineering Cybernetics.
Wu,Y.,Z.Zhao,et al.(2006).An Attack on SMC-Based Software Protection[C].Proceedings of Information and Communications Security,8th International Conference,ICICS 2006,Raleigh,NC,USA,Springer.352-368.
Xu,J.Y,A.H.Sung,et al.(2004).Polymorphic Malicious Executable Scanner by API Sequence Analysis[C].Proceedings of the Fourth International Conference on Hybrid Intelligent Systems,IEEE Computer Society.378-383.
Yan,W.,Z.Jinjing,et al.(2008).Hiding“real”machine from attackers and malware with a minimal virtual machine monitor[C].Proceedings of the 4th international conference on Security and privacy in communication netowrks,Istanbul,Turkey,ACM.1-10.
You,J.H.,S.C.Seo,et al.(2005).Kimchi:A Binary Rewriting Defense Against Format String Attacks[C].Proceedings of Information Security Applications,6th International Workshop,WISA 2005,Jeju Island,Korea,Springer.3786:179-193.
Zhenkai,L.,S.Weiqing,et al.(2009).Alcatraz:An Isolated Environment for Experimenting with Untrusted Software[J].ACM Transactions on Information and System Security,12(3):1-37.
Zhiwen,B.,W.Liming,et al.(2008).DTAD:A Dynamic Taint Analysis Detector for Information Security[C].Proceedings of the 2008 The Ninth International Conference on Web-Age Information Management,IEEE Computer Society.00:591-597.
于卓.(2000).信息战与计算机网络攻防[0L].Relieved 3-28,2009,from http://it.rising.com.cn/Channels/Info/Securty/2000-08-24/967093080d5190.shtml.
文伟平(2005).恶意代码机理与防范技术研究[D]:博士.北京:中国科学院研究生院(软件研究所),1-5
王德强(2005).恶意代码设计和分析技术的研究与实现[D]:硕士.北京:清华大学,2-3.
任云韬(2007).基于二进制多态变形的恶意代码反检测技术研究[D]:硕士.西安:电子科技大学.27-36.
沈昌祥,张焕国,冯登国,等.信息安全综述[J].中国科学E辑:信息科学,2007,37(2):129-150.
邢文利(2005).恶意代码动态分析系统的设计与实现[D]:硕士.北京:清华大学,5-6.
金然,魏强,王清贤(2008).基于归一化的变形恶意代码检测[J].计算机工程,34(05):169-171.
段钢(2008).加密与解密(第三版)[M].北京,电子工业出版社.
卿斯汉,王超,何建波等(2006).即时通信蠕虫研究与发展[J].软件学报,17(10),:2118-2130.
曹跃,梁晓,李毅超等(2008).恶意代码安全虚拟执行环境研究[J].计算机科学,(01):97-99.
陶正,郭义喜(2006).防止反编译技术研究[J].北京:装甲兵工程学院学报,20(4):64-67.
戴超,庞建民,赵荣彩(2008).采用条件跳转混淆技术的恶意代码反汇编[J].计算机工程,34(08):153-155.
庞立会,胡华平(2007).恶意代码模糊变换技术研究[J].计算机工程,33(12):154-156.
苏璞睿,杨轶(2006).基于可执行文件静态分析的入侵检测模型[J].计算机学报,29(09):1572-1578.
邹宏,谢余强(2008).混淆技术研究初探[J].信息工程大学学报,(01):97-99.
Albert,D.J.and S.P.Morse(1984).Combatting Software Piracy by Encryption and Key Management[J].Computer,17(4):68-73.
Alexander,S.V.(2007).Advanced methods for detection of malicious software[D].State University of New York at Binghamton
Amit,V.(2007).Wildcat:an integrated stealth environment for dynamic malware analysis[D].University of Texas at Arlington
Amit,V.and Y.Ramesh(2006).Cobra:Fine-grained Malware Analysis using Stealth Localized-executions[C].Proceedings of the 2006 IEEE Symposium on Security and Privacy,IEEE Computer Society.264-279.
Anckaert,B.and M.Madou(2005).A Model for Self-Modifying Code[C].Proceedings of the 8th International Workshop,Information Hiding 2006,Alexandria,VA,USA,Springer Berlin/Heidelberg.4437/2007:232-248.
Andrea,L.,M.Lorenzo,et al.(2007).A Smart Fuzzer for x86 Executables[C].Proceedings of the Third International Workshop on Software Engineering for Secure Systems,IEEE Computer Society.7-7.
Andreas,M.,K.Christopher,et al.(2007).Exploring Multiple Execution Paths for Malware Analysis[C].Proceedings of the 2007 IEEE Symposium on Security and Privacy,IEEE Computer Society.231-245.
Anirban,M.and T.Clark(2006).Manufacturing opaque predicates in distributed systems for code obfuscation[C].Proceedings of the 29th Australasian Computer Science Conference-Volume 48,Hobart,Australia,Australian Computer Society,Inc.187-196.
Baowen,X.,Q.Ju,et al.(2005).A brief survey of program slicing[J].ACM SIGSOFT Software Engineering Notes,30(2):1-36.
Bergeron,J.,D.Mourad,et al.(1999).Static Analysis of Binary Code to Isolate Malicious Behaviors[C].Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises,IEEE Computer Society.184-189.
Bertrand,A.,M.Matias,et al.(2007).Program obfuscation:a quantitative approach[C].Proceedings of the 2007 ACM workshop on Quality of protection,Alexandria,Virginia,USA,ACM.15-20.
Best,R.M.(1981).Crypto microprocessor for executing enciphered programs[P].4278837.United States
Bin,F.,Golden Richard,Ⅲ,et al.(2006).Some new approaches for preventing software tampering[C].Proceedings of the 44th annual Southeast regional conference,Melbourne,Florida,ACM.655-660.
Carsten,W.,H.Thorsten,et al.(2007).Toward Automated Dynamic Malware Analysis Using CWSandbox[J].IEEE Security and Privacy,5(2):32-39.
Chenxi,W.,H.Jonathan,et al.(2000).Software Tamper Resistance:Obstructing Static Analysis of Programs[R].University of Virginia.
Christodorescu,M.,J.Kinder,et al.(2005).Malware normalization[R].Technical Report #1539.University of Wisconsin,Madison,Wisconsin,USA.
Christopher,C.and L.Peter(1996).Trace-based program analysis[C].Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages,St.Petersburg Beach,Florida,United States,ACM.195-207.
Christopher,K.,R.William,et al.(2004).Static disassembly of obfuscated binaries[C].Proceedings of the 13th conference on USENIX Security Symposium,San Diego,CA,USENIX Association.13:255-270.
Christopher,K.,R.William,et al.(2004).Detecting Kernel-Level Rootkits Through Binary Analysis[C].Proceedings of the 20th Annual Computer Security Applications Conference,IEEE Computer Society.91-100.
Collberg,C,C.Thomborson,et al.(1997).A Taxonomy of Obfuscating Transformations[R].Technical Report #148.Department of Computer Sciences.The University of Auckland
Cristina,C.and K.J.Gough(1995).Decompilation of binary programs[J].Software-Practice and Experience,25(7):811-829.
Cullen,L.and D.Saumya(2003).Obfuscation of executable code to improve resistance to static disassembly[C].Proceedings of the 10th ACM conference on Computer and communications security,Washington D.C.,USA,ACM.290-299.
Danilo,B.,M.Lorenzo,et al.(2007).Code Normalization for Self-Mutating Malware[J].IEEE Security and Privacy,5(2):46-54.
DataRescue,I.(2009).IDA Pro DisassemblerfOL].Retrieved 3-29,2009,from http://www.hex-rays.com/idapro/.
David,A.(1996).Tamper Resistant Software:An Implementation[C].Proceedings of the First International Workshop on Information Hiding,Springer-Verlag.317-333.
David,G.(1969).CIL:Compiler Implementation Language[R].Stanford University.
David,W.and D.Drew(2001).Intrusion Detection via Static Analysis[C].Proceedings of the 2001 IEEE Symposium on Security and Privacy,IEEE Computer Society.156-168.
Drake,C.N.(1999).Computer software authentication,protection,and security system[P].6006328.United States:Drake,Christopher N.(GB)
Dux,B.,A.Iyer,et al.(2005).Visualizing the Behavior of Dynamically Modifiable Code[C].Proceedings of 13th International Workshop on Program Comprehension,St.Louis,MO,USA,IEEE Computer Society.337-340.
Ed,S.and Z.Lenny(2003).Malware:Fighting Malicious Code[M],Prentice Hall PTR.
Engin,U.and K.Sarfraz(2006).Program slicing for declarative models[J].ACM SIGSOFT Software Engineering Notes,31(6):1-2.
Fabrice,B.(2005).QEMU,a fast and portable dynamic translator[C].Proceedings of the annual conference on USENIX Annual Technical Conference,Anaheim,CA,USENIX Association.41-46.
Feng,Q.,W.Cheng,et al.(2006).LIFT:A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks[C].Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture,IEEE Computer Society.135-148.
Ferrie,P.(2007).Attacks on More Virtual Machine Emulators[R].
Frederick,B.C.(1993).Operating system protection through program evolution[J].Computers & Security,12(6):565-584.
Fritz,H.(1998).Time Limited Blackbox Security:Protecting Mobile Agents From Malicious Hosts[C].Mobile Agents and Security,Springer-Verlag.92-113.
Gary,M.and M.Greg(2000).Attacking Malicious Code:A Report to the Infosec Research Council[J].IEEE Software,17(5):33-41.
Gigapede.(2009).OllyDbg Plugins:OllyDump v2.21[OL].Retrieved 3-29,2009,from http://www.openrce.org/downloads/details/108/OllyDump.
Gregor,S.,R.Torsten,et al.(2006).Efficient path conditions in dependence graphs for software safety analysis[J].ACM Transactions on Software Engineering and Methodology,15(4):410-457.
Grimes,R.A.(2001).Malicious Mobile Code,Virus Protection for Windows[M],O'Reilly Media,Inc.
Hampson,B.E.(1989).Digital computer system for executing encrypted programs[P].4847902 United States Prime Computer,Inc.(Natick,MA)
Heng,Y.,S.Dawn,et al.(2007).Panorama:capturing system-wide information flow for malware detection and analysis[C].Proceedings of the 14th ACM conference on Computer and communications security,Alexandria,Virginia,USA,ACM.116-127.
Hilmi,O.,T.N.Vijaykumar,et al.(2006).SmashGuard:A Hardware Solution to Prevent Security Attacks on the Function Return Address[J].IEEE Trans.Comput,55(10):1271-1285.
Hiralal,A.and R.H.Joseph(1990).Dynamic program slicing[C].Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation,White Plains,New York,United States,ACM.246-256.
HIROYUKI,I.,S.KAZUO,et al.(2000).Tamper Resistant Technology for Software[R].(in Japanese).
Hongxu,C,S.Zhong,et al.(2007).Certified self-modifying code[C].Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation,San Diego,California,USA,ACM.66-77.
Horwitz,S.,T.Reps,et al.(1988).Interprocedural slicing using dependence graphs[C].Proceedings of the ACM SIGPLAN 1988 conference on Programming Language design and Implementation,Atlanta,Georgia,United States,ACM.35-46.
Huang,Y.L.,F.S.Ho,et al.(2006).A control flow obfuscation method to discourage malicious tampering of software codes[C].Proceedings of the 2006 ACM Symposium on Information,computer and communications security,Taipei,Taiwan,ACM.362-362.
Isabella,M.and Z.Damiano(2008).Data dependencies and program slicing:from syntax to abstract semantics[C].Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation,San Francisco,California,USA,ACM.125-134.
James,C,L.Wanchun,et al.(2007).Dytan:a generic dynamic taint analysis framework[C].Proceedings of the 2007 international symposium on Software testing and analysis,London,United Kingdom,ACM.196-206.
James,C.K.(1976).Symbolic execution and program testing[J].Commun.ACM,19(7):385-394.
James,R.L.and B.Thomas(1994).Rewriting executable files to measure program behavior[J].Software-Practice and Experience,24(2):197-218.
Jason,R.and L.Eric(2007).Deobfuscator:An Automated Approach to the Identification and Removal of Code Obfuscation[C].Proceedings of the 14th Working Conference on Reverse Engineering,IEEE Computer Society.275-276.
Jaydeep,M.,M.Frank,et al.(2003).METRIC:tracking down inefficiencies in the memory hierarchy via binary rewriting[C].Proceedings of the international symposium on Code generation and optimization:feedback-directed and runtime optimization,San Francisco,California,IEEE Computer Society.289-300.
Jedidiah,R.C,W.Gary,et al.(2006).Temporal search:detecting hidden malware timebombs with virtual machines[J].ACM SIGPLAN Notices,41(11):25-36.
Jesse,C.R.,I.K.Roger,et al.(2003).Detection of injected,dynamically generated,and obfuscated malicious code[C].Proceedings of the 2003 ACM workshop on Rapid malcode,Washington,DC,USA,ACM.76-82.
Jia,Z.,G Yuntao,et al.(2008).AMCAS:An Automatic Malicious Code Analysis System[C].Proceedings of the 2008 The Ninth International Conference on Web-Age Information Management,IEEE Computer Society.0:501-507.
Jim,C,G.Tal,et al.(2008).Decoupling dynamic program analysis from execution in virtual environments[C].USENIX 2008 Annual Technical Conference on Annual Technical Conference,Boston,Massachusetts,USENIX Association.1-14.
Jing,Y.,Z.Shukang,et al.(2006).Dimension:an instrumentation tool for virtual execution environments[C].Proceedings of the 2nd international conference on Virtual execution environments,Ottawa,Ontario,Canada,ACM.164-174.
Jingbo,Z.,Z.Rongcai,et al.(2008).Formal Abstraction of Semantics for Detecting Malicious Code[C].Proceedings of the 2008 International Conference on Computer Science and Software Engineering,IEEE Computer Society.02:350-353.
Jingfei,K.,C.Z.Cliff,et al.(2006).Improving software security via runtime instruction-level taint checking[C].Proceedings of the 1st workshop on Architectural and system support for improving software dependability,San Jose,California,ACM.18-24.
Jonathon,T.G,J.Somesh,et al.(2002).Detecting Manipulated Remote Call Streams[C].Proceedings of the 11th USENIX Security Symposium,USENIX Association.61-79.
Joy,K.(2007).Handling self-modifying code using software dynamic translation[C].Proceedings of the 2007 conference on Diversity in computing,Orlando,Florida,ACM.32-32.
Kanzaki,Y.,A.Monden,et al.(2003).Exploiting Self-Modification Mechanism for Program Protection[C].Proceedings of the 27th Computer Software and Applications Conference,Annual International,IEEE Computer Society.170-179.
Kanzaki,Y.,A.Monden,et al.(2006).A Software Protection Method Based on Instruction Camouflage[J].Electronics and Communications in Japan,Part 3,89(1):47-59.
Kanzaki,Y,A.Monden,et al.(2008).Program Camouflage:A Systematic Instruction Hiding Method for Protecting Secrets[C].Proceeding of World Congress on Science,Engineering and Technology,Heidelberg,Germany.33:557-563.
Khedker,U.(2006).Static analysis of programs:A heap centric view[J].SEFM 2006:Fourth IEEE International Conference on Software Engineering and Formal Methods,Proceedings:261-261.
kos,K.,J.Judit,et al.(2005).Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables[J].Software Quality Control,13(3):227-245.
Kun,Z.,Z.Tao,et al.(2006).Memory Protection through Dynamic Access Control[C].Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture,IEEE Computer Society.123-134.
Lap Chung,L.and C.Tzi-cker(2006).A General Dynamic Information Flow Tracking Framework for Security Applications[C].Proceedings of the 22nd Annual Computer Security Applications Conference,IEEE Computer Society.463-472.
Lorenzo,M.,S.Elizabeth,et al.(2008).A Layered Architecture for Detecting Malicious Behaviors[C].Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection,Cambridge,MA,USA,Springer-Verlag.78-97.
Manuel,E.,K.Christopher,et al.(2007).Dynamic spyware analysis[C].2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference,Santa Clara,CA,USENIX Association.1-14.
Marco,C,F.Viktoria,et al.(2006).Static Detection of Vulnerabilities in x86 Executables[C].Proceedings of the 22nd Annual Computer Security Applications Conference,IEEE Computer Society.269-278.
Mariano,C,P.Massimiliano Di,et al.(2008).Towards experimental evaluation of code obfuscation techniques[C].Proceedings of the 4th ACM workshop on Quality of protection,Alexandria,Virginia,USA,ACM.39-46.
Mark,W.(1981).Program slicing[C].Proceedings of the 5th international conference on Software engineering,San Diego,California,United States,IEEE Press.439-449.
Mark,W.(1982).Programmers use slices when debugging[J].Commun.ACM,25(7):446-452.
Martignoni,L.,M.Christodorescu,et al.(2007).OmniUnpack:Fast,Generic,and Safe Unpacking of Malware[C].Computer Security Applications Conference,2007,IEEE Computer Society.431-441.
Matias,M.,A.Bertrand,et al.(2005).Hybrid static-dynamic attacks against software protection mechanisms[C].Proceedings of the 5th ACM workshop on Digital rights management,Alexandria,VA,USA,ACM.75-82.
Michael,N.G,T.Stephen,et al.(2007).Software Protection through Anti-Debugging[J].IEEE Security and Privacy,5(3):82-84.
Michael,W.,S.Matthew,et al.(2002).A Toolkit for Detecting and Analyzing Malicious Software[C].Proceedings of the 18th Annual Computer Security Applications Conference,IEEE Computer Society.423-423.
Mihai,C,K.Nicholas,et al.(2005).String analysis for x86 binaries[C].Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering,Lisbon,Portugal,ACM.88-95.
Mihai,C.and J.Somesh(2003).Static analysis of executables to detect malicious patterns[C].Proceedings of the 12th conference on USENIX Security Symposium,Washington,DC,USENIX Association.12:169-186.
Mihai,C.and J.Somesh(2004).Testing malware detectors[J].ACM SIGSOFT Software Engineering Notes,29(4):34-44.
Mihai,C,J.Somesh,et al.(2008).Mining specifications of malicious behavior[C].Proceedings of the 1st conference on India software engineering conference,Hyderabad,India,ACM.5-14.
Mihai,C,J.Somesh,et al.(2005).Semantics-Aware Malware Detection[C].Proceedings of the 2005 IEEE Symposium on Security and Privacy,IEEE Computer Society.32-46.
Mila Dalla,P.,C.Mihai,et al.(2007).A semantics-based approach to malware detection[C].Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages,Nice,France,ACM.377-388.
Min Gyung,K.,P.Pongsin,et al.(2007).Renovo:a hidden code extractor for packed executables[C].Proceedings of the 2007 ACM workshop on Recurring malcode,Alexandria,Virginia,USA,ACM.46-53.
Monirul,S.,Y.Vinod,et al.(2008).Eureka:A Framework for Enabling Static Malware Analysis[C].Proceedings of the 13 th European Symposium on Research in Computer Security:Computer Security,Spain,Springer-Verlag.481-500.
Moser,A.,C.Kruegel,et al.(2007).Limits of static analysis for malware detection[J].Twenty-Third Annual Computer Security Applications Conference,Proceedings:421-430.
Nachenberg,C.(1996).Understanding and Managing Polymorphic Viruses[OL].Retrieved 3-29,2009,from http://vx.netlux.org/lib/static/vdat/epunders.htm.
Newsome,J.and D.Song(2005).Dynamic Taint Analysis:Automatic Detection,Analysis,and Signature Generation of Exploit Attacks on Commodity Software[C].Proceedings of tthe 12 th Network and Distributed Systems Security Symposium.
Nicholas,N.and S.Julian(2007).How to shadow every byte of memory used by a program[C].Proceedings of the 3rd international conference on Virtual execution environments,San Diego,California,USA,ACM.65-74.
Nicholas,N.and S.Julian(2007).Valgrind:a framework for heavyweight dynamic binary instrumentation[J].ACM SIGPLAN Notices,42(6):89-100.
Organization,U.(2009).UPX[OL].Retrieved 3-28,2009,from http://upx.org/.
Patrick,C.and C.Radhia(1977).Abstract interpretation:a unified lattice model for static analysis of programs by construction or approximation of fixpoints[C].Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages,Los Angeles,California,ACM.238-252.
Paul,R.,H.Mitch,et al.(2006).PolyUnpack:Automating the Hidden-Code Extraction of Unpack-Executing Malware[C].Proceedings of the 22nd Annual Computer Security Applications Conference,IEEE Computer Society.289-300.
Peter,S.(2005).The Art of Computer Virus Research and Defense[M],Addison-Wesley Professional.
Pietrek,M.(1994).Peering Inside the PE:A Tour of the Win32 Portable Executable File Format.MSDN Magazine.
Pietrek,M.(2002).Inside Windows:An In-Depth Look into the Win32 Portable Executable File Format.MSDN Magazine.
Prasad,M.and T.-c.Chiueh(2003).A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks[C].Proceedings of the USENIX Annual Technical Conference.211-224.
Prateek,S.,R.Sekar,et al.(2008).Efficient fine-grained binary instrumentation with applications to taint-tracking[C].Proceedings of the sixth annual IEEE/ACM international symposium on Code generation and optimization,Boston,MA,USA,ACM.74-83.
Robert,L.and H.James(2007).Using Entropy Analysis to Find Encrypted and Packed Malware[J].IEEE Security and Privacy,5(2):40-45.
Roberto,P.,L.Andrea,et al.(2008).Classification of packed executables for accurate computer virus detection[J].Pattern Recognition Letters,29(14):1941-1946.
Roberto,P.,L.Andrea,et al.(2008).McBoost:Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables[C].Proceedings of the 2008 Annual Computer Security Applications Conference,IEEE Computer Society.301-310.
Sandeep,B.,C.D.Daniel,et al.(2003).Address obfuscation:an efficient approach to combat a board range of memory error exploits[C].Proceedings of the 12th conference on USENIX Security Symposium,Washington,DC,USENIX Association.12:8-8.
Sanjay,B.,C.Wen-Ke,et al.(2006).Framework for instruction-level tracing and analysis of program executions[C].Proceedings of the 2nd international conference on Virtual execution environments,Ottawa,Ontario,Canada,ACM.154-163.
Saurabh,S.,H.Mary Jean,et al.(1999).System-dependence-graph-based slicing of programs with arbitrary interprocedural control flow[C].Proceedings of the 21st international conference on Software engineering,Los Angeles,California,United States,ACM.432-441.
Saurabh,S.,H.Mary Jean,et al.(2001).Interprocedural control dependence[J].ACM Transactions on Software Engineering and Methodology,10(2):209-254.
Schwarz,B.,S.Debray,et al.(2002).Disassembly of Executable Code Revisited[C].Proceedings of the Ninth Working Conference on Reverse Engineering(WCRE'02),IEEE Computer Society.45-45.
SOFTWARE,A.(2008).ASPackfOL].Retrieved 3-29,2009,from http://www.aspack.com/.
Software,A.(2009).ASProtect[OL].Retrieved 3-28,2009,from http://www.aspack.com/.
Stanley,C,G.Yuan,et al.(2001).An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs[C].Proceedings of the 4th International Conference on Information Security,Springer-Verlag.144-155.
Suan Hsi,Y.and H.Susan(2005).Using Static Analysis to Reduce Dynamic Analysis Overhead[J].Formal Methods in System Design,27(3):313-334.
Suh,G.E.,W.L.Jae,et al.(2004).Secure program execution via dynamic information flow tracking[C].Proceedings of the 11th international conference on Architectural support for programming languages and operating systems,Boston,MA,USA,ACM.85-96.
Susan,H.,R.Thomas,et al.(2004).Interprocedural slicing using dependence graphs[J].ACM SIGPLAN Notices,39(4):229-243.
Susanta,N.,L.Wei,et al.(2006).BIRD:Binary Interpretation using Runtime Disassembly[C].Proceedings of the International Symposium on Code Generation and Optimization,IEEE Computer Society.358-370.
Suslikov,E.(2009).HIEW v.8.0[OL].Retrieved 3-29,2009,from http://www.hiew.ru/.
Tankut,A.,J.M.Vincent,Ⅲ,et al.(2004).A Fast Assembly Level Reverse Execution Method via Dynamic Slicing[C].Proceedings of the 26th International Conference on Software Engineering,IEEE Computer Society.522-531.
Ted,R.,V.Geoff,et al.(1997).Instrumentation and optimization of Win32/intel executables using Etch[C].Proceedings of the USENIX Windows NT Workshop on The USENIX Windows NT Workshop 1997,Seattle,Washington,USENIX Association.1-7.
URSoftware.(2009).W32DASM 8.94[OL].Retrieved 3-29,2009,from http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/WDAS M.shtml.
Vigna,G.(2007).Static disassembly and code analysis[J].Malware Detection:19-41.
Wei,Y,Z.Zheng,et al.(2008).Revealing Packed Malware[J].IEEE Security and Privacy,6(5):65-69.
Wen,R,P.Jianmin,et al.(2008).Static Detection of API-Calling Behavior from Malicious Binary Executables[C].Proceedings of the 2008 International Conference on Computer and Electrical Engineering,IEEE Computer Society.388-392.
Winnie,C,Z.Qin,et al.(2006).TaintTrace:Efficient Flow Tracing with Dynamic Binary Rewriting[C].Proceedings of the 11th IEEE Symposium on Computers and Communications,IEEE Computer Society.749-754.
Wroblewski,G.(2002).General Method of Program Code Obfuscation[R].Wroclaw University of Technology,Institute of Engineering Cybernetics.
Wu,Y.,Z.Zhao,et al.(2006).An Attack on SMC-Based Software Protection[C].Proceedings of Information and Communications Security,8th International Conference,ICICS 2006,Raleigh,NC,USA,Springer.352-368.
Xu,J.Y,A.H.Sung,et al.(2004).Polymorphic Malicious Executable Scanner by API Sequence Analysis[C].Proceedings of the Fourth International Conference on Hybrid Intelligent Systems,IEEE Computer Society.378-383.
Yan,W.,Z.Jinjing,et al.(2008).Hiding“real”machine from attackers and malware with a minimal virtual machine monitor[C].Proceedings of the 4th international conference on Security and privacy in communication netowrks,Istanbul,Turkey,ACM.1-10.
You,J.H.,S.C.Seo,et al.(2005).Kimchi:A Binary Rewriting Defense Against Format String Attacks[C].Proceedings of Information Security Applications,6th International Workshop,WISA 2005,Jeju Island,Korea,Springer.3786:179-193.
Zhenkai,L.,S.Weiqing,et al.(2009).Alcatraz:An Isolated Environment for Experimenting with Untrusted Software[J].ACM Transactions on Information and System Security,12(3):1-37.
Zhiwen,B.,W.Liming,et al.(2008).DTAD:A Dynamic Taint Analysis Detector for Information Security[C].Proceedings of the 2008 The Ninth International Conference on Web-Age Information Management,IEEE Computer Society.00:591-597.