| How to detect the behavior of Malware effectively and figure out methods to resist Malware depends on its behavior has always been a key point in the research of information security. Traditional static and dynamic malware detecting method both exist the problems that coarse- grained detecting, in order to detecting the behavior of malware more comprehensively, memory image analysis technique has been proposed and applied to the analysis of malware.Design a method to run malicious code samples in a QEMU virtual machine, and continuous save foundation and incremental virtual machine memory to the sample before, during and after the three periods, and then follow the logic of the acquisition, analysis the basis and incremental virtual machine data we get to the complete memory image of each period. On the basis of a single memory image analysis, do a comparative analysis of memory images at different times, thus to achieve that in the life cycle of malware, The changes of key memory object such as process, registry, service, network connection and so on, extracted the behavior of malware and its influence on the system. We also design a data visualization for memory data, using visual tools D3.js, show the memory and the change of system statue during runtime in the form of chart. Display the change of the system in the life cycle of the malicious code visually and effectively.We realized the system, detect typical sample Sentry_MBA and 40 kinds of malware samples. Then compared the result with File B-Chao. The result shows that continuous memory analysis can accurately detect malware‘s suspicious behavior in process, code injection, registry, etc. It indicates that the memory analysis methods' effectiveness proposed in this paper. Then we compare continuous memory image analysis and single memory image analysis. In the 40 kinds of sample test results, the number of malware detection increased by 37% based on the analysis of memory, it increase the accuracy of th memory analysis method. |
PDF Full Text Request