利用比較程式基本區塊快速尋找虛擬機器感知造成的程式分歧點

Abstract

虛擬機器技術被廣泛運用在現在的惡意程式分析系統中。為了躲避這些分析系統的偵測與分析，新一類的惡意程式能夠感知虛擬機器的存在，進而隱藏自身的惡意行為來欺騙惡意程式分析系統。在這篇論文中，一個新的利用比較程式在不同環境下的行為，來偵測分析虛擬機器感知造成的程式分歧點的方法被提出來。不同於過去傳統的作法以指令做為分析的基本單位，此方法以程式基本區塊為分析的基本單位。比起傳統分析指令的作法，我們的方法能夠大幅降低紀錄與比較程式行為所花費的時間，同時也降低了記錄程式行為所需的空間。在我們的實驗中，紀錄程式行為所花費的時間為傳統作法的23.87-39.49倍快；在測試樣本中，分析基本單位的總數是傳統作法的11.95%-16.00%。因此，我們的作法能夠更有效率的去找出因虛擬機器感知而造成的程式分歧點。同時，我們找尋分歧點的演算法的正確性也將在論文中證明。

To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the present of virtual machine is proposed. To detect VM-aware malware and locate VM-sensitive divergence points of VM-aware malware, we propose a new block-based behavior comparison scheme (BBC), in contrast to the conventional instruction-based schemes. The BBC scheme divides the malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. In contrast to the conventional schemes, the BBC scheme significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. In our evaluation, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered in a more efficient way. The correctness of our divergence point discovery algorithm will be also proved in this paper.