| Analysis on executable binary code is an important approach to analyze behavior of program, and it is also a main way to detect malware. But anti-analysis technology, such as shell, anti-debug and code obfuscation etc, makes analysis on binary code more and more difficult as software development technology is progressing. To solve such problem, this thesis proposes an approach which bases on full-system emulation, instruction-flow and data-flow analysis technology. This approach runs executable binary code on a virtual machine which uses full-system emulation technology, and then captures its runtime instruction-flow and data-flow information. And then we extract critical information from instruction-flow and data-flow information, and analyze program's behavior using program slicing technology.Based on such proposal, this thesis covers design and implement of a prototype system to analyze binary code. With further development of bochs which is an open source virtual machine, this thesis accomplishes a function which captures runtime instruction-flow and data-flow information effectively. And then, this thesis also implements a lot of analysis models to extract critical information and analyze behavior of binary code. These models include static characters analysis, transfer-instructions analysis, system calls analysis, memory read-write analysis, program slicing analysis, cryptology algorithm analysis etc. This thesis also shows experiments which use the prototype system. Experiment result illustrates, the approach proposed by this thesis can resist on anti-analysis technology, and achieve the purpose of binary code analysis.This thesis focuses on binary code analysis, especially using anti-analysis binary code. We obtain the following achievements: First, we propose an approach which bases on virtual machine to analyze binary code after research on anti-analysis technology, binary code, instruction-flow and data-flow. Traditional binary analysis method is to analyze static code and observe behavior which is exhibited on runtime. So traditional analysis method is limited to get enough information when it is used to analyzed binary code which adopts anti-analysis technology. The novelty of this thesis is that, its approach analyzes runtime instruction-flow and data-flow which are captured with virtual machine technology to analyze behavior of binary code. This approach can resist on anti-analysis technology.Second, we design and implement a virtual machine which captures runtime instruction-flow and data-flow of executable binary code. With further development of an open source virtual machine, we implement the function of capturing runtime information of binary code. Windows and Linux operating systems, applications which are based on X86 architecture can run on this virtual machine. So this virtual machine is general.Third, we can analyze behavior of program automatically. With a series of software tools, the analysis system can extract critical information from runtime instruction-flow and data-flow, and then figure out behavior of binary code automatically. |
PDF Full Text Request