Research Of Dynamic Data Flow Analysis Technology Application In Malware Analysis

Malware is used as a tool for attackers to damage or steal information in target information systems and brings great threat to information systems. The result of malware analysis can be used in network border protection, information system protection and attack origin tracing. The currently employed technologies include static reverse engineering and debug-based dynamic binary analysis, but these methods require lots of manual analysis and cause low efficiency. Sandbox based on hooking technology is also a widely used malware analysis method. But it should face the short comes that it extracts discrete information like addresses and ports in network communication and API calls in execution, while these information will hardly make a clear description of the data processing courses in execution. As more new malware come into being, more pertinent methods are required for efficiency.We consider the main problem in current malware analysis methods and introduces the dynamic binary instrumentation and the taint analysis technology. In malware analysis process, working flows are connected with data flows, the analysis on data flow processing is very important. The dynamic binary instrumentation technology has the feature as convenience on programming self-defined algorithm for analysis on program dynamic execution. So human participant can be reduced in monitoring binary program execution and data flow analysis. Taint analysis through binary instrumentation can be joined with well-designed API call monitoring. Data flow analysis can be more automatic with programming analysis courses.We take a deep view of the protect methods of trojan horse and its protocol design. Original program entrance analysis programs and a taint analysis program are realized upon Pin dynamic binary instrumentation framework. And the method designed to analyzing protocol format through analyzing data flow processing courses are proved to be effective. And software backdoor behavior is analyzed and through building models of it, a method to analyzing software backdoor behaviors through monitoring sensitive information is designed and implemented. A typical software backdoor case is selected to prove the effectiveness of the method.Through application of dynamic binary instrumentation and taint analysis methods in malware analysis, important data flow processing courses can be dynamically tracked more clearly. The efficiency of manual reverse engineering analysis in program working process can be improved.