PORTABLE EXECUTIVE FILE PROCESSING METHOD AND APPARATUS, AND PORTABLE EXECUTIVE FILE DETECTING METHOD AND APPARATUS

摘要

A PE file processing method and apparatus, and a PE file detecting method and apparatus, for improving the detection hit rate of malicious PE files. The PE file detecting method comprises: obtaining an unknown PE file (S201); disassembling codes of the unknown PE file to obtain a second instruction sequence, instructions in the second instruction sequence comprising operators and an operand (S202); sequentially extracting the operator of each instruction in the second instruction sequence to generate a second operator sequence (S203); extracting at least one N-gram feature from the second operator sequence (S204); querying the corresponding number of hits in an N-gram feature list with regard to each N-gram feature in the at least one N-gram feature in the second operator sequence (S205); generating a number of hits list of the unknown PE file, the number of hits list of the unknown PE file comprising each N-gram feature extracted from the unknown PE file and the corresponding queried number of hits (S206); obtaining the number of hits list of each target PE file in a plurality of target PE files (S207); clustering the unknown PE file and the plurality of target PE files according to the number of hits list of the unknown PE file and the number of hits list of each target PE file in the plurality of target PE files (S208); and in the clustering result, if the unknown PE file alone forms one category, determining the unknown PE file as a malicious PE file (S209).