随着恶意程序的快速增多,常用的分析技术遇到了瓶颈。文中总结与分析了国内外现有主流的恶意程序检测方法,运用了底层的多种HOOK技术,在底层驱动中利用重定向技术从文件、注册表、网络、进程、线程、窗口消息等多个方面,设计与构造了改进的混合型沙盒和行为分析器。沙盒可保证程序在运行中不会破坏真实的系统,可提高分析效率,可连续分析,不需要还原环境。行为分析器通过记录程序的函数调用序列,使用风险等级来判断程序的风险程度,运用了独创的行为分析算法来计算程序的风险级别,通过自定义的规则自动判断程序的恶意程度,同时生成分析报告,达到自动化分析的目的。经过测试,说明该系统达到了预期功能,能有效地保护真实系统,同时也能准确获取到恶意程序的行为,其分析结果是有效的。%With the rapid increase of malicious programs,common analysis technology has encountered bottleneck. In this paper,summa-rize and analyze the domestic and foreign existing mainstream malware detection method,using the underlying multiple HOOK technolo-gy,utilizing the redirection technology in the underlying driver from a file,registry,network,process,thread,window message and so on, design and construct an improved sandbox analyzer and behavior. Sandbox ensures application won’ t destroy the real system in opera-tion,which can improve the efficiency of analysis,can be used to analyze continuously,do not need to restore the environment. Behavior analyzer by recording the program sequence of function calls,using risk level to judge the risk degree of the program,using the original behavior analysis algorithm to calculate the risk level of the program,through the custom rules automatically judge the malicious degree of the program,at the same time generate analysis report,to achieve the purpose of automatic analysis. After testing,the system runs stable and extensible,the analysis result is valid.
展开▼