| With the continuous upgrading of network confrontation,various types of malware have been introduced.In recent years,an average of nearly 3,000 versions of various types of malware have been discovered each year.However,all types of malicious software versions usually have a continuation of changes,only some of the code and structure adjustments,most of the binary functions in the form of changes but the function does not change significantly.You can find new and changed function codes based on the features of the function and their calling relationships.If you can use the previous analysis results or other people's analysis results directly to the software currently being analyzed,you will greatly improve the efficiency of the analysts.In addition,the study found that there are a large number of library functions in the malware,and these library functions are complex and have a large number of numbers,causing great trouble for the work of the reverse person.Therefore,if you can identify a large number of library functions in malware,and label their names will greatly reduce the workload of the reverse staff.The project objectives of this article mainly focus on two points.The first is the continuation of existing analysis results.Reverse analysts will mark key functions of the software when performing manual analysis of malicious software.Due to the continuation of malware versions,these The key functions are often just changes in form,functionally unchanged,so the old version of function annotations also makes sense in the new version.Reasonable management of annotations and effective use of these annotations has become an important task.The second is the analysis of unknown malicious binary files.In order to simplify the analysis process and reduce the workload of reverse arnalysts,it is necessary to annotate parts known as library functions.The library function is marked with a meaningful name,and the reverse worker can directly ignore this part of the function,thereby greatly improving the work efficiency.This system is a web application.The development language is python.Use the Django framework and select the MongoDB database.The 2.7.10 version is used by Python and the 1.8.13 version is Django.To improve the efficiency of MongoDB,we use pymongo and the database.Interaction.The system is divided into front-end and back-end.The front-end web interface is used to interact with users.The back-end is a functional server that can process front-end requests and respond.The system implements user management,user rights management,and makes full use of python's flexibility.Sex enables the system to successfully implement the annotation management function.It can extract the comments in the idb file and the udd file to the database.It can also display the extracted annotation information in the system and provide users with the migration of existing annotations to the new software.And download the annotation function.The system also completes the function of library function identification and labeling.It can identify the library function in software and label the library function into software in the form of function annotation.The labeling file can be displayed on the system page,and can also be downloaded by the user.The system effectively helps reverse analysts to reduce the workload and improve work efficiency.The system successfully completed the development task and achieved the expected goal. |
PDF Full Text Request