針對DLL型態惡意程式的病毒特徵萃取

Abstract

在惡意程式的研究中，由於數量上的差距，EXE (可執行檔) 型態的病毒為研究的主流，而DLL (動態鏈結資料庫) 型態的病毒通常都會被忽略。兩種檔案型態的病毒通常都用同一種分析工具在進行分析，但本質上DLL 和 EXE 還是有不同之處。在DLL 中，一個導出函式( export function) 即一個程式進入點，使其有別於EXE。在一個DLL 中能有多個導出函式。 在近期的研究中，病毒特徵碼通常產生自一群的惡意樣本中。藉由找出這些惡意樣本中的相同處，來達到產生病毒特徵碼的目的，找出控制流程圖(Control-Flow Graph) 中的相同處就是一種方法。而以DLL的角度來看，由於導出函式的緣故，一個DLL 病毒，可以被視為多隻病毒的集合體，每個導出函式就是每隻病毒的程式進入點。 在此研究中，我們首先找出DLL 的攻擊手法與導出函式之間的關係，接著說明DLL 病毒中存在著共用指令的情形，最後以此共用指令的情形為依據，我們實作出一病毒特徵碼的產生方法。

In the field of malware detection research, DLL (Dynamic-Link Library) type malware are often overlooked since EXE type malware take major percentage of the whole malware. Despite the fact that there are differences between DLL malware and EXE malware, EXE malware analysis tools are used for DLL malware detection. To enhance DLL malware detection accuracy, a different analysis methodology is proposed based on the trait that differentiates a DLL file and an EXE file, namely the export functions of a DLL file entry point. A single DLL can contain multiple export functions. In the recent researches, signatures are generated from a group of malware by finding their common context like analysis with CFG(Control Flow Graph). With the feature of DLL, a single DLL malware can be viewed as a collection of malware which start from different entry points. In this paper, we first construct relation between the DLL attack methods and the export function. Second, we present the phenomenon of common instruction in DLL malware. Third, we propose a detection method based on the common instructions.