| Malware analysis is an important method to rapidly and accurately identifying the behavior of the malware, for it can improve the security of operating systems and software applications by controlling and removing malware. With the development of anti-analysis technology, malicious software take advantage of the anti-analysis techniques, including packer, encryption and code obfuscation, which increases the difficulties of the malware analysis. Malicious code analysis has become a hot research topic in the field of information security.Several Challenges exist for the current malware analysis platforms, including the insecure environment for analyzing, poor salable capacity, independence between static and dynamic analysis as well as the inadaptability of the demands within the mass malicious codes analysis. To solve these problems, this thesis aims to implement a secure, reliable and scalable malware analysis tool by combining static and dynamic analysis.The main contributions of this thesis are as follows:1) The methods for malware analysis are discussed for static and dynamic analysis, and both the advantages and disadvantages of these methods are compared. Then this thesis summarizes the anti-analysis methods as well as the goals and requirements of the system.2) The common methods and features of malware analysis on the basis of system virtualization are summarized. In particular, the Intel-VT hardware virtualization technology is introduced and employed;3) This thesis designs a framework for the malware analysis tool on the basis of virtualization technology. This framework uses hardware virtualization technology to build a safe and reliable dynamic analysis environment, and generates the appropriate analysis strategy for the dynamic analysis process by static analysis technique. The prototype system is implemented via the secondary development of open source software named ether. The dynamic analysis environment in the analysis tool can intercept and capture the state information of malicious code from two granularities including system call and instructions, and can debug the state information. The analysis tool also enables the unpacking and decryption of the malware with anti-analysis capabilities.4) According to the implemented prototype system, program slicing technique is utilized by statically analyzing and extracting the important information of control flow conversion. On the other hand, dynamic analysis with respect to multi-paths of the malicious codes is automatically performed, which effectively increases the code coverage.The experimental results illustrate that the malicious code analysis tool designed in this thesis is adaptable and scalable with respect to the analyzing and debugging of the malicious code. Both static and dynamic analysis is combined to prevent the packers, encryption and anti-analysis techniques. |
PDF Full Text Request