| In the first part of this dissertation, virus and anti-virus technology, as well as the confrontation between them were discussed in detail. And two technology difficulties which the current anti-virus products confronted with were referred. One of which is about the virtual machine code simulation technology, which is in an important position in anti-virus field, but some of its inherent defects make it unworkable before a lot of anti-technology. The other one is that, as virus relation technique developing quickly, metamorphic virus makes anti-virus technology facing new challenges. As metamorphic virus without fixed code, any useful signature can't be extracted from it; this means that scanners can't detect this kind of virus.Two solutions were put forward in this dissertation. They are "Disassembler Based and Interrupt Guided Virus Detection Platform " and "The Application of Computer Instruction inter-relation in the Detection of Virus."The first solution is a feasible substitute for code simulation technology. This platform permits the suspect procedures directly running in the real compute system. But dozens of breakpoint were set up in the procedures, which will trigger an interrupt when they are executing. And where need to set up a breakpoint is decided by a recursive disassembler, which disassemble the suspect program when an interrupt is triggered as it running, and set up a breakpoint when suspect instructions is found. The so-called"suspect instructions"are those, which have the potential of invoking an API function. In this way to ensure that, those APIs which will threaten the security of the real compute system will not be called and executed. Moreover, communications between the suspect procedure and disassembler are through a SEH function, which is injected into and then became part of the suspect procedure. In this dissertation, a variety of problems the platform in fronted with are discussed and corresponding solutions are proposed.In the study of finding an effective detection method for the metamorphic virus, I realized that the metamorphic techniques are not just useful tools to changing the virus body, but also telltales. Because these technologies are such as equivalent instructions replacement, registers replacement, and garbage instruction filling skills, which will obviously change the statistical characteristics of the code. Comparing to those that not use these skills, we will find that inter-relations of instructions of metamorphic virus are weakened. So that, using statistic characteristic of inter-relation of instructions to detecting metamorphic virus may be a wise tactic. In order to validate this idea, great amount experiments are carried out. Thousands of PE files are processed to extract valuable statistic characteristics——Instruction Relation Map. Then select some procedure as testing objects, disassembling them and considering every 2, 3, 4 consecutive instructions as a unit, and find a corresponding value in the Instruction Relation Map. At the end, use Matlab's figure process functions to figure out the values. The experiments show that using the inter-relation of instructions as a detecting rule of Metamorphic Virus is feasible.If the two virus detection technologies are put into practice, antivirus products will obviously improve their ability of detecting virus. |
PDF Full Text Request