| Now, our lives are very closely linked with the Internet. We are enjoying the convenience of the Internet, but also in the face of the Internet security issues brought by malicious programs. A new type of malicious programs, which are represented by advanced persistent threats, can break through the traditional security solutions. It brings great harm to the network security of the state, society, enterprises and individuals. So the analysis of the unknown file is the focus and difficulty of the research.This thesis presents a method for analyzing the behavior of malicious programs based on function monitoring. The relationship between APIs are analyzed and the sample analysis environment is constructed by using QEMU open source simulator, and the dynamic analysis technique is used. In the virtual machine monitoring layer, the API sequence and its parameters, which the sample is called, are captured in the dynamic execution. On the basis of the acquisition of API sequence, an automatic behavior abstraction method is given, and the experiment and result analysis are carried out.The relationship between API and is analyzed. Using the translation and execution process of QEMU, which is the unit of the basic block, the virtual machine monitor layer is modified. API sequence and parameter information is captured in the executing process of the malicious program. QEMU uses the dynamic binary translation technology to complete the translation work between different instruction sets. The semantic reconstruction technology is used to eliminate the semantic gap between the QEMU internal data and operating system. In semantics the process, thread, API and parameter are understood. At the same time, the thesis introduces the concept of the injection process, the non PE process and the following analysis. The thesis realizes to monitor the injection process and the non PE file process, and improves the method of the API capture mechanism.An automated behavior abstraction method is given, which is based on the relationship between API sequences. It is on account of the fully understanding the relationship of API. According to the characteristics of the the application behavior, two kinds behaviors are given, which are named basic behavior and higher order behavior. Basic behavior is the simple behavior, which is using a single API. Advanced behavior is based on the basic behavior, fully understanding the relationship of the API, such as OR, AND, and so on. It uses the relationship of API sequences and multiple API to achieve high-level behavior. In the process of behavior abstraction, we need to extract the key function, the key parameters, the conversion and synthesis of parameters, and then give the behavior analysis report.In this thesis, we focus on the acquisition of API sequence and the behavior abstract. In this project, a method of capturing the behavior of malicious programs is given, which is on account of function monitoring. In the running of the application, the API call sequence is extracted, and the behavior is abstracted. Finally, the abstract process is completed. |
PDF Full Text Request