Research On Virtualization-based Capture Technology Of Malicious Code Behavior

In all of Internet threats, malicious code is undoubtedly the most damaging. This thesis aimed at the capture of malicious code behavior. In capture of malicious code behavior, current research suffer from various problems: First, analysis environment is too vulnerable to be detected by malicious code, leading analysis be bypassed; Second, information obtained can not reflect details of the malicious code behavior; Third, existing research neglects study on real-time analysis of processes, remote threads and Windows service spawned by malicious code in runtime. To this end, the purpose of the thesis is to achieve stealthy, comprehensive, automated capture of malicious code behavior. The main content includes:First, an introduction to virtualization technology and its related concepts is made. An overview of the malicious code is given; the two methods in malicious code analysis, namely, static method and dynamic method, are discussed. Through the analysis of these two methods, it is pointed out that the dynamic method can be better for the analysis of malicious code. Then, an in-depth study on major virtualization-based techniques for capturing malicious code behavior is conducted and problems of these existing technologies are described. In addition, related research projects are analyzed, while shortcomings of these projects are pointed out.Second, based on the study, the design and implementation of virtualization-based system for capturing malicious code behavior is then put forward. One problem of current research is that analysis environment is easily detected, to solve this problem, stealthily monitoring technique based on virtualization is introduced to enhance the stealth of analysis as much as possible. Technique of multi-subjects analysis in real time is presented, leading this system to support real-time analysis of the processes, remote threads and Windows service spawned by malicious code in runtime. In addition, the use of technique to abstract system call and to capture fine-grained behavior makes that information of malicious code behavior obtained is more comprehensive.Third, this behavior capture system has been tested in this thesis. The testing contexts contain effectiveness testing, functionality testing and sample set testing. The results show that the desired design goal is achieved.Finally, the thesis summarizes the whole work, presents ways to further improve the behavior capture system and points out the future research direction.