Equational reasoning obfuscated decipher routine, Hacking and IT E-Book Dump Release
[ Pobierz całość w formacie PDF ]
SCIS2007 The2007Symposiumon
CryptographyandInformationSecurity
Sasebo,Japan,Jan.23-26,2007
TheInstituteofElectronics,
InformationandCommunicationEngineers
Allrightsarereservedandcopyrightofthismanuscriptbelongstotheauthors.
Thismanuscripthasbeenpublishedwithoutreviewingandeditingasreceived
fromtheauthors:postingthemanuscripttoSCIS2007doesnotpreventfuture
submissionstoanyjournalsorconferenceswithproceedings.
Equationalreasoning⑲䵑
obfuscateddecipherroutine║╩╡ℼ┿㠡㵐
あ䘣习ㅻ
¤
␢⑩
┽╕╈┦┧┢䙱䙉㈽⑈ぅ㥦㈽™䉑┿╳║ℼ┽╕╈┦┧┢㔻㵑䥔䀵┳ℼ╉㠡㵐㉳
䡲㔻㵑䅐䩽⑆㵅䵗⑊⑃⑆⑆⑫℣䭜佀䨸⑇䙱䙉㈽⑬䥼㥦╫ℼ╁╳㉲䁏™
Equational
reasoning
⑲䔬䵑™㍆㱯║╩╡ℼ┿⑲㠡㵐⑫②䩽䬡佀⑲㰨℣䑳う㱪䬡⑇™䙱䙉㈽⑬㱂㥔
┳ℼ╉⑲㕕┢┻╳╖╫™䁡䤽㠽㝁㰰䩑㐹⑫℣䩑㐹⑬䁡㜲䉐⑆™╬┾╪╥ℼ┷╧╳⑨⑪
㵌䉠⅊
de-obfucsation)
⑲㥔␦℣㰡™㠡㵐⑬╗╭┰╩╠㤽䈤⑲㠵䕹㉁䉥䙾⑲㥔™║╩╡ℼ┿⑲
㠡㵐⑫℣䕹㉁䉥䙾䅠㩮╇╢┸╥╬ℼ┷╧╳⑈║╩╢┸╥╬ℼ┷╧╳⌲⑄⑲䵑℣™
㉡䑸⑇䀸䀮⑬䁡㽴⑲㠵™㵌䉠⑤║╩╡ℼ┿㠡㵐䙱し䕙㭘䤸⑲㩮䀮⑫⑈㉄䜽⑇␢⑫℣䤾
㉁㱂㠳⑇㽴䉎
obfuscateddecipherroutine
⑲㭽⑄㠡䉎⑲™䑳う㱪䬡⑲䵑⑆㠡㵐℣
┭ℼ╯ℼ╉
䙱䙉㈽⑈ぅ㥦㈽™
obfuscateddecipherroutine
™
equationalreasoning
™┢┻╳╖╩┳ℼ╉™
FoL
㵨䵽㝏
1
②
3
䑳う㱪䬡
┽╕╈┦┧┢ぅ㥦㈽⑈䙱䙉㈽™㴾䵨䉑┿╳║ℼ䀭
⑲㍎䩝⑫②㔻㵑⑈⑆䍭䱜⑬⑆™㙡䜯䥔
䀵┳ℼ╉㠡㵐⑲㉳䡲⑫䩽䬡⑈⑆䔬䵑⑬⑫⑈
䈿⑊⑪™㵅䵗䀭⑲䅽⑆⑆⑫℣┽╕╈┦┧┢䙱
䙉㈽㔻㵑™䡦㍓䔪㼷⑈␦䱌③␢⑪™䙱䙉㈽
┳ℼ╉㰫䘰䀸䀮㠦㕦™␢⑫䙃㱬⑊╎┦╏┦㵪
ぢ┢╳╀ℼ┰╩╳╉⑈㡀⑯⑬⑫┤╳┿ℼ╍╃╈┵┤╈
⑇㘦䴭⑬⑫⑈␢⑫™⑬⑩⑲䕽㥧䔪Ω㉊㍘䔪
䨬䁏™䤾㉁⑫②㠦㕦㥔⑯⑬⑫⑈㠽㭾䕀⑇
㔩⑇␢⑫℣䭜佀䨸⑇™䙱䙉㈽⑬䥼㥦╫ℼ╁╳
䉐⑆™ぬ㌬㵒㡬佀䵽䑪䵽㹚䱀㝏⑲䵑⑆™┳ℼ╉
㵌䉠⑈║╩╡ℼ┿⅊㠰™┢╉╬┹™┫┦╳┿䕹⅋㠡㵐
⑲㥔␦②䩽䬡佀⑲㰨℣
䑳う㱪䬡™
[1]
䙱䙉㈽⑬䥼㥦╫ℼ╁╳┳ℼ╉
㵌䉠™
[2]
㠰™㍆㱯┢╉╬┹™┫┦╳┿║╩╡ℼ┿
䙃䑪⑈␦⌲䍊㌬⑩⑊⑫℣
[1]
╬┾╪╥ℼ┷╧╳™
[2]
䕹㉁䉥䙾
(equalitysubstitution)
⑈␦㱪䬡⑲䔬
䵑⑫℣
3.1
┳ℼ╉㵌䉠
⑇┳ℼ╉㵌䉠⑈™㔡䜽䔪䕹㉁⑇␢⑫䨣㬨
䕙⅊㹩䐹䕙⅋㥢╗╭┰╩╠⑲™⑨⑪㑊㝩⑊╗╭┰╩╠
䩑㐹⑫⑈⑲㭘℣
de-obfuscation
⑤
simplication
␢⑫䅠㩮⑇␢⑫℣㽞™䑳う㱪䬡⌱䍊㌬䱜⑲㰨
③⑇␢⑫℣乣™㽞ㄦ䍊␢⑫䅠㩮™
-(1-1)|-(1-3)|1.
if(1-1)and(1-3)istrue,then1.
2
㑘伢㠦㕦
™䄫ぜ㡸䵽
(Transitionaxioms
⅋⑈㡆⑬™䙱䙉㈽
⑬┳ℼ╉⑲㑊䅇㈽⑫䵑⑫℣乣™
┳╳╔╥ℼ┿┦┣╫┹⅊╯ℼ╠™╈╭┤⑲㑞①⅋⑈
㠡㵐䵽佀䔪⑊䑪㕁⑈㕄佀
[1][2]
⑇㥔⑯⑬⑆⑫℣
SymantecCorporation
⌲⌰⌰⌱䜯
W32.Simile
⑄
⑆㉲䁢⑲㵐㨢⑩™
metamorphic,polymorphic
⑈⑃ぅ㥦㈽⑈䙱䙉㈽⑲㥔␦䥔䀵┳ℼ╉㠦㕦㍨䠯
㥔⑯⑬⑫⑨␦⑊⑃
[5][6][7]
℣
[8]
⑇╢╇╫㠡㨺
䔬䵑™
[9]
⑇
attackgraph
⑲䵑㱪䬡㠡䘤⑬
⑫⑨␦⑊⑃⑆⑫℣
Reoderinginstructions
⑄⑆
䉐ㅾ
[10]
⑇㕄佀
⑬⑆⑫℣
¤
䙈丩㥔䀯䬡㽍㹰䩳䑌㼮㠦㕦㔡㤽㹰䩳䑌㼮┻┭╥╪╆┣㠦㕦┻╳┿ℼ
,
䕬㕾䕔㸮㙢て㭔㑓て䭌䐮
4-2-1,4-2-1Nukui-Kitamachi,Koganei,
Tokyo184-8795Japan,ruo@nict.go.jp
-(1-1)|-(1-3)|1.:
if(1-1)and(1-3)istrue,then1.
-(movdword_10h)|-(movedxdword_1)
|movedx0h.
™
registersubstitution
⑈␦™㹩䐹⑊╬┸┹┿䉥䙾
⑨⑪䙱䙉㈽⑲㥔␦╆┯╋╃┯䉐ㅾ⑫③⑇␢⑫℣
1
⑃䁡⍏⍒⑲㱨⑃⑆䩝䈸⑬⑫②™䕹㉁䉥䙾⑨⑃
⑆㽤佀╗╭┻┹⑲㽊②⑆⑈㉄䜽⑇␢⑫℣
CLAUSE 1-1
CLAUSE 2-1
3.3 䁡䤽㠽䩑㐹
CLAUSE 1
-(1-1) | -(1-3) | 1
㽞™䙱䙉㈽⑬㱂㥔╕┡┤╫⑩™䑪䵽㹚䱀㝏
㵨䵽⑇⑫䁡㝁㰰䤽㠽
(clausalrepresentation)
䩑㐹
™㠡㵐⑲㥔␦⑇╕╭ℼ╁╣ℼ╈⑇␢⑫℣㱂㥔╕┡
┤╫⑲
SOUCER
⑤
IDAPro
⑊⑉┽╕╈┦┧┢⑇㕕
┢┻╳╖╫™お㈼⑨␦⑊㝁㰰䩑㐹⑫℣
CLAUSE 1-2
CLAUSE 2
-(2-1) | -(2-2) | 2
CLAUSE 2-2
CLAUSE 1-3
instruction(operand1(x),operand2(y),z,time(1)).
OBFUSCATED CODE
SIMPLIFIED CODE
⑇™
instruction
opcode
⅊䰿乡⅋™
operand1
™⌲
䰿乡ぺ㽴™
z
┢╉╬┹™
time(
⅋™㽤佀㉡䑸
⑨⑃⑆㵨䵽⑬⅊㱂㥔⑬⅋㉳㽴⑇␢⑫℣
㽞
1:
3.2 ║╩╡ℼ┿㠡㵐
4 䔬䵑㽤佀㔻䬡
䭜佀䨸⑇™║╩╡ℼ┿㠡㵐
equationalreasoning
⑈␦㱪䬡⑲䔬䵑⑫℣ぬ㌬㵒㡬佀䵽䑪䵽㹚䱀㝏⑇™
䕹㉁䉥䙾
(equalitysubstitution)
⑬㑞⑬⑫℣㙱
䉎䔪™
demodulation
⑈
paramodulation
⑈␦䅠㩮
⑨⑃⑆䕹㉁䉥䙾⑲㥔␦℣
4.1 㭙㭽㴸㥧䁯丬
㭙㭽㴸㥧䁯丬
[7]
™⌱⌹⌶⌵䜯
Wos
⑩⑨⑃⑆䑳
う⑬③⑇␢⑫℣㝗㬻䁯丬䀩㡂䁯丬⌱⑄⑇™
㰫䘰㽤佀╗╭┰╩╠䱜䤸⑈⑫㉲㙵㑖㑘㜸⑊⑈
⑭⑲䌵㩷™䉐㹝⑈⑆⑫䱤䉪㴸䍦⑫⑨␦
⑫℣䁡㴸㥧
S
™
T
␢⑪™
S-T
㴼䈭㉄䜽⑇␢⑫⑈
™
T
S
㭙㭽㴸㥧⑇␢⑫℣⑈™㭙㭽㴸㥧䈰
⑊䁡䘱㭎⑇䘳㵐⑲㥔⑯™㭙㭽㴸㥧䈰⑫䁡⑈
㑖⑇™䘳㵐⑲㥔␦䩽㽋⑲㭙㭽㴸㥧䁯丬⑈␦℣
fact:f(g(x),x).
fact:equal(g(a),b).
conclusionf(b,a).
fact:equal(data_16e,514Bh).
fact:mov(reg(ah),const(data_16e),63,time(1)).
conclusion:
mov(reg(ah),const(514Bh),63,time(1)).
4.2 䐶䘳㵐
䐶䘳㵐
[8]
⌱⌹⌶⌵䜯
Robinson
⑩⑨⑃⑆䑳㸧
⑬㱪䬡⑇™䑌㹯䘳㵐㝏㱪䬡⑇⌱䉐䁡⑩㵧
㰡䘳㵐⑲㥔␦䉐⑆™⌲㡄お㹥䁡䉐⑆䘳㵐⑲
㥔␦℣䐶䘳㵐さ䰣™㈿䍊㌬③⌲㥠䘳㵐␢⑫㩮
㙈⑲⌱⑄⑈②③⑇™䑌㹯⌲㥠䘳㵐䡦⑆™
䈿䘳㵐㔯⑫⑈␦㭶⑲㭘℣
㹥⌲⑄┳ℼ╉™╇╢┸╥╬ℼ┷╧╳⑈䔬䵑
乣⑲䤽③⑇␢⑫℣䅠㩮™╇╢┸╥╬ℼ┿
⅊
equal
䁡⅋⑲™
fact
䁡䔬䵑™䕹㉁䉥䙾⑲㥔™䉐㹝
⑈⑊⑫䁡㑊䅇㈽⑲㥔␦℣
fact:mov(reg(ah),const(2Ch),162,time(1)).
fact:mov(reg(bx),reg(ah),300,time(1)).
fact:decrypt(reg(dx),reg(bx),431,time(1)).
/*decrypter*/
4.3 䩱䁝
䑪䵽㹚䱀⑲䵑㽤佀╗╭┻┹⑇™䱜䤸⑈⑫䁡⑲
䘳㵐⑫㉡䑸⑇™⑄䁡䩝㭽⑬™㼷䁡
䀸䀮⑬㭾䕀⑇™㉡㕮䩝㭽⑬䁡⑈㑖⑇™㉾②
⑆䑪䵽䔬䵑⑬⑫℣䩝㭽⑬⑆⑫䁡␦⑁™⑨
⑪ぬ䡌䔪⑊䁡⑲㭄㵨䵽⑲䩱䁝
[10]
⑈␦℣
-mov(reg(x),const(y),z,time(1))|x=const(y,z).
conclusion:decryptor(reg(dx),
key(const(2Ch,162),431,time(1)).
4.4 ╇╢┸╥╬ℼ┷╧╳
╇╢┸╥╬ℼ┷╧╳
[9]
⑈™␢⑩②䕹㉁䉥䙾⑲
㥔␦②䁡⑲䑪䵽㹚䱀㝏㉃⑆™㵨䵽䁡㜲㑊丬㈽
␢⑫䀵㵠㈽⑲㥔␦㵨䵽⑇␢⑫℣╇╢┸╥╬ℼ┷╧╳
™⑬㰫䉎⑇㹩䐹⑊䰿乡™␢⑫™
MOV
䰿乡⑨
⑫╡╢╪™╬┸┹┿™䩑㽴㑖䔾䅷⑨⑫╗╭┰╩╠
㹵䉖䄫ぜ⑲㑊丬㈽⑫䴭㡺⑇␢⑫℣
㹥⌲⑄┳ℼ╉™║╩╢┸╥╬ℼ┷╧╳⑈䔬
䵑乣⑲㰨③⑇␢⑫℣╇╢┸╥╬ℼ┷╧╳⑈䡦㍓
⑆⑨⑪䈿䵍⑊䁡㝁㰰䵸䵑⑫⑈⑇⑫℣╇╢┸╥
╬ℼ┷╧╳
e®ectivness
⑲㱧㑣⑲⑆⑫䉐™
䅠㩮⑇㌵⑆™㐰䄴䀭⅊
completeness)
䩝⑬⑫
⑈⑬⑫℣╇╢┸╥╬ℼ┷╧╳ぬ㉳䕹㉁䉥䙾⑲㥔⑃
⑆䑤㭟⑫䉐™║╩╢┸╥╬ℼ┷╧╳㭈⑯⑬⑊
2
CLAUSAL REPRENTATION
OF VIRUS
VIRUS
BINARY EXECUTALE
DISASSEMBLER
THEOREM PROVER
VIRUS ASEEMBLY OCDE
INFECTED?
TRANSLATOR(PARSER)
YES / NO
㽞
2:
㱂㥔╕┡┤╫⑩䁡㝁㰰䩑㐹⑈㠡㵐
4.5 ║╩╢┸╥╬ℼ┷╧╳⅊䕹㥦䐴䀰䉥䙾⅋
testcountercounter
jmploop_start
║╩╢┸╥╬ℼ┷╧╳⅊䕹㥦䐴䀰䉥䙾⅋™╇╢┸╥
╬ℼ┷╧╳⑈䘱䕹㉁䉥䙾䅠㩮⑇␢⑫℣╇╢┸╥╬ℼ
┷╧╳
e®eciency
⑲㵅㭫⑆䁟㝗⑬⑆⑫䉐™
║╩╢┸╥╬ℼ┷╧╳㌵⑆㽤佀㉡䑸⑇㐰䄴䀭䩝㭽
⑬⑫℣║╩╢┸╥╬ℼ┷╧╳╇╢┸╥╬ℼ┷╧╳
ぬ䡌㝁⑇␢⑫℣╇╢┸╥╬ℼ┷╧╳ぬ㉳䕹㉁䉥䙾㐰
主⑫⑈䑤㭟⑫™║╩╢┸╥╬ℼ┷╧╳⑇㑘伢
⑫䁡⍏⍒⑲㱨⑃⑆䩝㭽⑬⑫℣②™䕹㉁䉥䙾
⑇㹵䉖䄫ぜ⑲㔯⑆™㽤佀╗╭┻┹⑲㽊②⑫⑈
㉄䜽⑇␢⑫℣
㹥┳ℼ╉
(typeI)
™③⑃⑈③╙ℼ┷╃┯⑊┿┤╗
⑇™䀸䀮⑬⑫┳ℼ╉䠾䨬䑸㍤㥧⑲䁪②⑫③⑇␢
⑫℣⍍⍏⍖䰿乡⑇ぅ㥦㈽⑬╚┤╭ℼ╉⑲䔾䅷™䥼
㥦␢⑈㍊䜼㠵┢╉╬┹䱡™㍆㱯║╩╡ℼ┿
⑲㤹㼷⑫℣
loop_start
decrypt[address]key
incaddress
deccounter
testcountercounter
jmploop_start
5 䤾㉁㱂㠳
5.1
┵╳╗╫┳ℼ╉
㨣㉳™䑳う┷┹╆╠䤾㉁㱂㠳䵑┳ℼ╉䀸䀮™
SMEG(simulatedmetamorphicencryptiongenerator)[4]
⑲䵑℣
SMEG
™䴭䰾⑊╡┿╢ℼ╕┣╃┯┳ℼ╉䀸
䀮㑯⌱⑄⑇␢⑪™
SMEG.Pathogen
⑤
SMEG.Queeg
⑊⑉┦┣╫┹䘱╗╭┰╩╠⑲┨╳┸╳⑈⑆䅈㥾
⑳⑇⑫℣䤾㉁㱂㠳⑇™
SMEG
⌵䉎䙱䙉㈽⑬
⅊
obfuscated)
┦┣╫┹┳ℼ╉⑲䀸䀮™䑪䵽㹚䱀㑯
⑨⑃⑆䥼㥦╫ℼ╁╳⑲㠡㵐⑫㩝䀸䀮⑬䁡㽴⑊⑉
⑲䡦㍓℣
SMEG
⑨⑃⑆䀸䀮⑬⑫┦┣╫┹㜲お
㈼⌳㱯┿┤╗┳ℼ╉䨬习⑬⑫℣
㹥┳ℼ╉
(typeII)
™╇ℼ┿䔾䅷⑈䥼㥦㑖䁜┢╉
╬╃┷╳┰⑲䵑⑫③⑇™⍍⍏⍖⑊⑉䔾䅷䰿乡⑲㭈
⑯™䐾䁜┢╉╬┹⑲㭘䑪™㍊䜼⑬⑆⑫╚┤╭ℼ
╉⑲䥼㥦⑫℣
loop_start
xchgdata[address]
decryptdatakey
xchg[address]data
incaddress
deccounter
testcountercounter
jmploop_start
loop_start
movdata[address]
decryptdatakey
mov[address]data
incaddress
deccounter
㹥┳ℼ╉™
typeI
⑇⍍⍏⍖䰿乡䉥⑯⑪⍘⍃
⍈⍇
(exchange)
䰿乡⑲䵑③⑇␢⑫℣
3
5.2 㠡㵐║╩╡ℼ┿
┷╧╳⌲⑄⑲䵑℣™㉡䑸⑇䀸䀮⑬䁡
㽴⑲㠵™㵌䉠⑤║╩╡ℼ┿㠡㵐䙱し䕙㭘䤸⑲㩮䀮
⑫⑈㉄䜽⑇␢⑫℣䤾㉁㱂㠳⑇㽴䉎
obfuscated
decipherroutine
⑲㭽⑄㠡䉎⑲™䑳う㱪䬡⑲䵑⑆㠡㵐
™䑪乌䔪⑊䤾㉁⑲㥔␦⑈⑲㉄䜽℣㨣㡥㉝䉪
⑈⑆™⑨⑪䀺敌⑄㥢䈮⑊║╩╡ℼ┿㠡㵐䬡⑤™═
┤╊╪┳ℼ╉㉲䁏⑊⑉㕳⑩⑬⑫℣
㠡㵐║╩╡ℼ┿™╚┤╭ℼ╉┢╉╬┹™㠰™䥼㥦
╫ℼ╁╳┹┿ℼ╈┢╉╬┹™⑆┫┦╳┿⌴⑄⑇
␢⑫℣
defineAaddress_of_payload
defineBkey
defineCaddress_loop_start
defineDcounter
㬲㥍䨸㠥
[1]Computerviruses: fromtheorytoapplications.
IRISInternationalseries,SpringerVerlag,ISBN
2-287-23939-1,juin2005.Englisheditionofthe
bookoncomputerviruses.
address_loop_start
payload_transfer(A)
decryptor(B)
parload_transfer(A)
branch(D)
goto_start(C)
[2]DiomidisSpinellis. :Reliableidenticationof
bounded-lengthvirusesisNP-complete.IEEE
TransactionsonInformationTheory,January2000
:280-284.
㹥™䥼㥦╫ℼ╁╳㤽䈤ぬ乣⑲㑊丬③⑇␢
⑫℣╫ℼ╗䙾⑫䄰™
dene
⑤⍍⍏⍖䰿乡⑲㭈⑃⑆║
╩╡ℼ┿⑲㔬䑪⑫℣
[3]PeterSzorandPeterFerrie.:HuntingforMetamor-
phic.VirusBulletinConference,September2001:
123-144.
5.3 㱂㠳㝫㉌
䄰䁡⑇⑇㵒™䥼㥦╫ℼ╁╳║╩╡ℼ┿㠡㵐
㩝䀸䀮⑬䁡㽴⑲䤽㰨℣䤽™⑬⑬䀸䀮
⑬┳ℼ╉™┳ℼ╉┿┤╗⅊⌱⑩⌳™䄰䁡㬲㹈⅋™
⑆䀸䀮⑬䁡㽴⑲㰨⑆⑫℣䙱䙉㈽⑬┳ℼ
╉┿┤╗⑤㠡㵐⑫║╩╡ℼ┿⑨⑃⑆䀸䀮⑬䁡
㽴䴽䅛お㹥㹥㈼⑫⑈䨬⑃℣™㱂㩝
㉲䁏⑲㥔⑃㝐㠳⑩™䘱㱂㠳䙢㡂⑪™䙱䙉㈽䑸
䕙⑲䔬䁚㰨⑆⑫⑈䅛䑪⑬⑫℣
[4]StephenPearce,”ViralPolymorphism”,paper
submittedforGSECversion1.4b,2003.
[5]”Network-levelpolymorphicshellcodedetection
usingemulation”MichalisPolychronakis,Kostas
G.AnagnostakisandEvangelosP.Markatos
DIMVA2006
[6]Semantics-AwareMalwareDetectionMihai
Christodorescu,SomeshJha,SanjitA.Seshia,
DawnSong,RandalE.BryantIEEESecurityand
Privacy2005
5.4 ⑈②⑈㨣㡥㉝䉪
┽╕╈┦┧┢ぅ㥦㈽⑈䙱䙉㈽™㴾䵨䉑┿╳║ℼ䀭
⑲㍎䩝⑫②㔻㵑⑈⑆䍭䱜⑬⑆™㙡䜯䥔
䀵┳ℼ╉㠡㵐⑲㉳䡲⑫䩽䬡⑈⑆䔬䵑⑬⑫⑈
䈿⑊⑪™㵅䵗䀭⑲䅽⑆⑆⑫℣┽╕╈┦┧┢䙱䙉㈽
㔻㵑™䡦㍓䔪㼷⑈␦䱌③␢⑪™䙱䙉㈽┳ℼ
╉㰫䘰䀸䀮㠦㕦™␢⑫䙃㱬⑊╎┦╏┦㵪ぢ┢
╳╀ℼ┰╩╳╉⑈㡀⑯⑬⑫┤╳┿ℼ╍╃╈┵┤╈⑇㘦
䴭⑬⑫⑈␢⑫™⑬⑩⑲䕽㥧䔪Ω㉊㍘䔪䨬䁏
™䤾㉁⑫②㠦㕦㥔⑯⑬⑫⑈㠽㭾䕀⑇㔩
⑇␢⑫℣䭜佀䨸⑇™䙱䙉㈽⑬䥼㥦╫ℼ╁╳䉐
⑆™ぬ㌬㵒㡬佀䵽䑪䵽㹚䱀㝏⑲䵑⑆™┳ℼ╉㵌䉠
⑈║╩╡ℼ┿⅊㠰™┢╉╬┹™┫┦╳┿䕹⅋㠡㵐⑲㥔
␦②䩽䬡佀⑲㰨℣䑳う㱪䬡⑇™䙱䙉㈽⑬
㱂㥔┳ℼ╉⑲㕕┢┻╳╖╫™䁡䤽㠽㝁㰰䩑㐹⑫℣
䩑㐹⑬䁡㜲䉐⑆™╬┾╪╥ℼ┷╧╳⑨⑪㵌䉠
⅊
de-obfucsation)
⑲㥔␦℣㰡™㠡㵐⑬╗╭┰╩╠
㤽䈤⑲㠵䕹㉁䉥䙾⑲㥔™║╩╡ℼ┿⑲㠡㵐⑫℣䕹
㉁䉥䙾䅠㩮╇╢┸╥╬ℼ┷╧╳⑈║╩╢┸╥╬ℼ
[7]StaticAnalysisofExecutablestoDetectMalicious
Patterns(2003)MihaiChristodorescuandSomesh
Jha12thUSENIXSecuritySymposium,August
2003
[8]HaoChen,DrewDean,andDavidWagner.Model
checkingonemillionlinesofCcode.InProceed-
ingsofthe11thAnnualNetworkandDistributed
SystemSecuritySymposium(NDSS),pages171–
185,SanDiego,CA,February2004.
[9]O.Sheyner,J.Haines,S.Jha,R.Lippmann,andJ.
M.Wing,”AutomatedGenerationandAnalysis
ofAttackGraphs”,IEEESymposiumonSecurity
andPrivacy,April2002.
4
generatedcode#1
TypeI BranchDecryptLoopTransfer
clausesgenerated 3378 30480 4292 30471
parafromgenerated1358 15935 1799 15935
paraintogenerated 1463 13366 1826 13362
generatedcode#2
TypeII BranchDecryptLoopTransfer
clausesgenerated 1158 1466 1258 719
parafromgenerated423 435 435 322
paraintogenerated 390 495 431 158
generatedcode#3
TypeIII BranchDecryptLoopTransfer
clausesgenerated 2751 10184 3072 909
parafromgenerated1186 5330 1436 335
paraintogenerated 803 3932 1008 185
generatedcode#4
TypeI BranchDecryptLoopTransfer
clausesgenerated 808 2890 923 703
parafromgenerated255 1125 268 255
paraintogenerated 271 1170 337 212
generatedcode#5
TypeI BranchDecryptLoopTransfer
clausesgenerated 6327 11990 9903 3235
parafromgenerated2669 3532 2748 1049
paraintogenerated 2227 3474 2686 892
䤽
1:
䕹㉁䉥䙾
(equationalreasoning)
⑨⑫║╩╡ℼ┿㠡㵐㭾䀸䀮⑬䁡㽴
5
[ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl upanicza.keep.pl
SCIS2007 The2007Symposiumon
CryptographyandInformationSecurity
Sasebo,Japan,Jan.23-26,2007
TheInstituteofElectronics,
InformationandCommunicationEngineers
Allrightsarereservedandcopyrightofthismanuscriptbelongstotheauthors.
Thismanuscripthasbeenpublishedwithoutreviewingandeditingasreceived
fromtheauthors:postingthemanuscripttoSCIS2007doesnotpreventfuture
submissionstoanyjournalsorconferenceswithproceedings.
Equationalreasoning⑲䵑
obfuscateddecipherroutine║╩╡ℼ┿㠡㵐
あ䘣习ㅻ
¤
␢⑩
┽╕╈┦┧┢䙱䙉㈽⑈ぅ㥦㈽™䉑┿╳║ℼ┽╕╈┦┧┢㔻㵑䥔䀵┳ℼ╉㠡㵐㉳
䡲㔻㵑䅐䩽⑆㵅䵗⑊⑃⑆⑆⑫℣䭜佀䨸⑇䙱䙉㈽⑬䥼㥦╫ℼ╁╳㉲䁏™
Equational
reasoning
⑲䔬䵑™㍆㱯║╩╡ℼ┿⑲㠡㵐⑫②䩽䬡佀⑲㰨℣䑳う㱪䬡⑇™䙱䙉㈽⑬㱂㥔
┳ℼ╉⑲㕕┢┻╳╖╫™䁡䤽㠽㝁㰰䩑㐹⑫℣䩑㐹⑬䁡㜲䉐⑆™╬┾╪╥ℼ┷╧╳⑨⑪
㵌䉠⅊
de-obfucsation)
⑲㥔␦℣㰡™㠡㵐⑬╗╭┰╩╠㤽䈤⑲㠵䕹㉁䉥䙾⑲㥔™║╩╡ℼ┿⑲
㠡㵐⑫℣䕹㉁䉥䙾䅠㩮╇╢┸╥╬ℼ┷╧╳⑈║╩╢┸╥╬ℼ┷╧╳⌲⑄⑲䵑℣™
㉡䑸⑇䀸䀮⑬䁡㽴⑲㠵™㵌䉠⑤║╩╡ℼ┿㠡㵐䙱し䕙㭘䤸⑲㩮䀮⑫⑈㉄䜽⑇␢⑫℣䤾
㉁㱂㠳⑇㽴䉎
obfuscateddecipherroutine
⑲㭽⑄㠡䉎⑲™䑳う㱪䬡⑲䵑⑆㠡㵐℣
┭ℼ╯ℼ╉
䙱䙉㈽⑈ぅ㥦㈽™
obfuscateddecipherroutine
™
equationalreasoning
™┢┻╳╖╩┳ℼ╉™
FoL
㵨䵽㝏
1
②
3
䑳う㱪䬡
┽╕╈┦┧┢ぅ㥦㈽⑈䙱䙉㈽™㴾䵨䉑┿╳║ℼ䀭
⑲㍎䩝⑫②㔻㵑⑈⑆䍭䱜⑬⑆™㙡䜯䥔
䀵┳ℼ╉㠡㵐⑲㉳䡲⑫䩽䬡⑈⑆䔬䵑⑬⑫⑈
䈿⑊⑪™㵅䵗䀭⑲䅽⑆⑆⑫℣┽╕╈┦┧┢䙱
䙉㈽㔻㵑™䡦㍓䔪㼷⑈␦䱌③␢⑪™䙱䙉㈽
┳ℼ╉㰫䘰䀸䀮㠦㕦™␢⑫䙃㱬⑊╎┦╏┦㵪
ぢ┢╳╀ℼ┰╩╳╉⑈㡀⑯⑬⑫┤╳┿ℼ╍╃╈┵┤╈
⑇㘦䴭⑬⑫⑈␢⑫™⑬⑩⑲䕽㥧䔪Ω㉊㍘䔪
䨬䁏™䤾㉁⑫②㠦㕦㥔⑯⑬⑫⑈㠽㭾䕀⑇
㔩⑇␢⑫℣䭜佀䨸⑇™䙱䙉㈽⑬䥼㥦╫ℼ╁╳
䉐⑆™ぬ㌬㵒㡬佀䵽䑪䵽㹚䱀㝏⑲䵑⑆™┳ℼ╉
㵌䉠⑈║╩╡ℼ┿⅊㠰™┢╉╬┹™┫┦╳┿䕹⅋㠡㵐
⑲㥔␦②䩽䬡佀⑲㰨℣
䑳う㱪䬡™
[1]
䙱䙉㈽⑬䥼㥦╫ℼ╁╳┳ℼ╉
㵌䉠™
[2]
㠰™㍆㱯┢╉╬┹™┫┦╳┿║╩╡ℼ┿
䙃䑪⑈␦⌲䍊㌬⑩⑊⑫℣
[1]
╬┾╪╥ℼ┷╧╳™
[2]
䕹㉁䉥䙾
(equalitysubstitution)
⑈␦㱪䬡⑲䔬
䵑⑫℣
3.1
┳ℼ╉㵌䉠
⑇┳ℼ╉㵌䉠⑈™㔡䜽䔪䕹㉁⑇␢⑫䨣㬨
䕙⅊㹩䐹䕙⅋㥢╗╭┰╩╠⑲™⑨⑪㑊㝩⑊╗╭┰╩╠
䩑㐹⑫⑈⑲㭘℣
de-obfuscation
⑤
simplication
␢⑫䅠㩮⑇␢⑫℣㽞™䑳う㱪䬡⌱䍊㌬䱜⑲㰨
③⑇␢⑫℣乣™㽞ㄦ䍊␢⑫䅠㩮™
-(1-1)|-(1-3)|1.
if(1-1)and(1-3)istrue,then1.
2
㑘伢㠦㕦
™䄫ぜ㡸䵽
(Transitionaxioms
⅋⑈㡆⑬™䙱䙉㈽
⑬┳ℼ╉⑲㑊䅇㈽⑫䵑⑫℣乣™
┳╳╔╥ℼ┿┦┣╫┹⅊╯ℼ╠™╈╭┤⑲㑞①⅋⑈
㠡㵐䵽佀䔪⑊䑪㕁⑈㕄佀
[1][2]
⑇㥔⑯⑬⑆⑫℣
SymantecCorporation
⌲⌰⌰⌱䜯
W32.Simile
⑄
⑆㉲䁢⑲㵐㨢⑩™
metamorphic,polymorphic
⑈⑃ぅ㥦㈽⑈䙱䙉㈽⑲㥔␦䥔䀵┳ℼ╉㠦㕦㍨䠯
㥔⑯⑬⑫⑨␦⑊⑃
[5][6][7]
℣
[8]
⑇╢╇╫㠡㨺
䔬䵑™
[9]
⑇
attackgraph
⑲䵑㱪䬡㠡䘤⑬
⑫⑨␦⑊⑃⑆⑫℣
Reoderinginstructions
⑄⑆
䉐ㅾ
[10]
⑇㕄佀
⑬⑆⑫℣
¤
䙈丩㥔䀯䬡㽍㹰䩳䑌㼮㠦㕦㔡㤽㹰䩳䑌㼮┻┭╥╪╆┣㠦㕦┻╳┿ℼ
,
䕬㕾䕔㸮㙢て㭔㑓て䭌䐮
4-2-1,4-2-1Nukui-Kitamachi,Koganei,
Tokyo184-8795Japan,ruo@nict.go.jp
-(1-1)|-(1-3)|1.:
if(1-1)and(1-3)istrue,then1.
-(movdword_10h)|-(movedxdword_1)
|movedx0h.
™
registersubstitution
⑈␦™㹩䐹⑊╬┸┹┿䉥䙾
⑨⑪䙱䙉㈽⑲㥔␦╆┯╋╃┯䉐ㅾ⑫③⑇␢⑫℣
1
⑃䁡⍏⍒⑲㱨⑃⑆䩝䈸⑬⑫②™䕹㉁䉥䙾⑨⑃
⑆㽤佀╗╭┻┹⑲㽊②⑆⑈㉄䜽⑇␢⑫℣
CLAUSE 1-1
CLAUSE 2-1
3.3 䁡䤽㠽䩑㐹
CLAUSE 1
-(1-1) | -(1-3) | 1
㽞™䙱䙉㈽⑬㱂㥔╕┡┤╫⑩™䑪䵽㹚䱀㝏
㵨䵽⑇⑫䁡㝁㰰䤽㠽
(clausalrepresentation)
䩑㐹
™㠡㵐⑲㥔␦⑇╕╭ℼ╁╣ℼ╈⑇␢⑫℣㱂㥔╕┡
┤╫⑲
SOUCER
⑤
IDAPro
⑊⑉┽╕╈┦┧┢⑇㕕
┢┻╳╖╫™お㈼⑨␦⑊㝁㰰䩑㐹⑫℣
CLAUSE 1-2
CLAUSE 2
-(2-1) | -(2-2) | 2
CLAUSE 2-2
CLAUSE 1-3
instruction(operand1(x),operand2(y),z,time(1)).
OBFUSCATED CODE
SIMPLIFIED CODE
⑇™
instruction
opcode
⅊䰿乡⅋™
operand1
™⌲
䰿乡ぺ㽴™
z
┢╉╬┹™
time(
⅋™㽤佀㉡䑸
⑨⑃⑆㵨䵽⑬⅊㱂㥔⑬⅋㉳㽴⑇␢⑫℣
㽞
1:
3.2 ║╩╡ℼ┿㠡㵐
4 䔬䵑㽤佀㔻䬡
䭜佀䨸⑇™║╩╡ℼ┿㠡㵐
equationalreasoning
⑈␦㱪䬡⑲䔬䵑⑫℣ぬ㌬㵒㡬佀䵽䑪䵽㹚䱀㝏⑇™
䕹㉁䉥䙾
(equalitysubstitution)
⑬㑞⑬⑫℣㙱
䉎䔪™
demodulation
⑈
paramodulation
⑈␦䅠㩮
⑨⑃⑆䕹㉁䉥䙾⑲㥔␦℣
4.1 㭙㭽㴸㥧䁯丬
㭙㭽㴸㥧䁯丬
[7]
™⌱⌹⌶⌵䜯
Wos
⑩⑨⑃⑆䑳
う⑬③⑇␢⑫℣㝗㬻䁯丬䀩㡂䁯丬⌱⑄⑇™
㰫䘰㽤佀╗╭┰╩╠䱜䤸⑈⑫㉲㙵㑖㑘㜸⑊⑈
⑭⑲䌵㩷™䉐㹝⑈⑆⑫䱤䉪㴸䍦⑫⑨␦
⑫℣䁡㴸㥧
S
™
T
␢⑪™
S-T
㴼䈭㉄䜽⑇␢⑫⑈
™
T
S
㭙㭽㴸㥧⑇␢⑫℣⑈™㭙㭽㴸㥧䈰
⑊䁡䘱㭎⑇䘳㵐⑲㥔⑯™㭙㭽㴸㥧䈰⑫䁡⑈
㑖⑇™䘳㵐⑲㥔␦䩽㽋⑲㭙㭽㴸㥧䁯丬⑈␦℣
fact:f(g(x),x).
fact:equal(g(a),b).
conclusionf(b,a).
fact:equal(data_16e,514Bh).
fact:mov(reg(ah),const(data_16e),63,time(1)).
conclusion:
mov(reg(ah),const(514Bh),63,time(1)).
4.2 䐶䘳㵐
䐶䘳㵐
[8]
⌱⌹⌶⌵䜯
Robinson
⑩⑨⑃⑆䑳㸧
⑬㱪䬡⑇™䑌㹯䘳㵐㝏㱪䬡⑇⌱䉐䁡⑩㵧
㰡䘳㵐⑲㥔␦䉐⑆™⌲㡄お㹥䁡䉐⑆䘳㵐⑲
㥔␦℣䐶䘳㵐さ䰣™㈿䍊㌬③⌲㥠䘳㵐␢⑫㩮
㙈⑲⌱⑄⑈②③⑇™䑌㹯⌲㥠䘳㵐䡦⑆™
䈿䘳㵐㔯⑫⑈␦㭶⑲㭘℣
㹥⌲⑄┳ℼ╉™╇╢┸╥╬ℼ┷╧╳⑈䔬䵑
乣⑲䤽③⑇␢⑫℣䅠㩮™╇╢┸╥╬ℼ┿
⅊
equal
䁡⅋⑲™
fact
䁡䔬䵑™䕹㉁䉥䙾⑲㥔™䉐㹝
⑈⑊⑫䁡㑊䅇㈽⑲㥔␦℣
fact:mov(reg(ah),const(2Ch),162,time(1)).
fact:mov(reg(bx),reg(ah),300,time(1)).
fact:decrypt(reg(dx),reg(bx),431,time(1)).
/*decrypter*/
4.3 䩱䁝
䑪䵽㹚䱀⑲䵑㽤佀╗╭┻┹⑇™䱜䤸⑈⑫䁡⑲
䘳㵐⑫㉡䑸⑇™⑄䁡䩝㭽⑬™㼷䁡
䀸䀮⑬㭾䕀⑇™㉡㕮䩝㭽⑬䁡⑈㑖⑇™㉾②
⑆䑪䵽䔬䵑⑬⑫℣䩝㭽⑬⑆⑫䁡␦⑁™⑨
⑪ぬ䡌䔪⑊䁡⑲㭄㵨䵽⑲䩱䁝
[10]
⑈␦℣
-mov(reg(x),const(y),z,time(1))|x=const(y,z).
conclusion:decryptor(reg(dx),
key(const(2Ch,162),431,time(1)).
4.4 ╇╢┸╥╬ℼ┷╧╳
╇╢┸╥╬ℼ┷╧╳
[9]
⑈™␢⑩②䕹㉁䉥䙾⑲
㥔␦②䁡⑲䑪䵽㹚䱀㝏㉃⑆™㵨䵽䁡㜲㑊丬㈽
␢⑫䀵㵠㈽⑲㥔␦㵨䵽⑇␢⑫℣╇╢┸╥╬ℼ┷╧╳
™⑬㰫䉎⑇㹩䐹⑊䰿乡™␢⑫™
MOV
䰿乡⑨
⑫╡╢╪™╬┸┹┿™䩑㽴㑖䔾䅷⑨⑫╗╭┰╩╠
㹵䉖䄫ぜ⑲㑊丬㈽⑫䴭㡺⑇␢⑫℣
㹥⌲⑄┳ℼ╉™║╩╢┸╥╬ℼ┷╧╳⑈䔬
䵑乣⑲㰨③⑇␢⑫℣╇╢┸╥╬ℼ┷╧╳⑈䡦㍓
⑆⑨⑪䈿䵍⑊䁡㝁㰰䵸䵑⑫⑈⑇⑫℣╇╢┸╥
╬ℼ┷╧╳
e®ectivness
⑲㱧㑣⑲⑆⑫䉐™
䅠㩮⑇㌵⑆™㐰䄴䀭⅊
completeness)
䩝⑬⑫
⑈⑬⑫℣╇╢┸╥╬ℼ┷╧╳ぬ㉳䕹㉁䉥䙾⑲㥔⑃
⑆䑤㭟⑫䉐™║╩╢┸╥╬ℼ┷╧╳㭈⑯⑬⑊
2
CLAUSAL REPRENTATION
OF VIRUS
VIRUS
BINARY EXECUTALE
DISASSEMBLER
THEOREM PROVER
VIRUS ASEEMBLY OCDE
INFECTED?
TRANSLATOR(PARSER)
YES / NO
㽞
2:
㱂㥔╕┡┤╫⑩䁡㝁㰰䩑㐹⑈㠡㵐
4.5 ║╩╢┸╥╬ℼ┷╧╳⅊䕹㥦䐴䀰䉥䙾⅋
testcountercounter
jmploop_start
║╩╢┸╥╬ℼ┷╧╳⅊䕹㥦䐴䀰䉥䙾⅋™╇╢┸╥
╬ℼ┷╧╳⑈䘱䕹㉁䉥䙾䅠㩮⑇␢⑫℣╇╢┸╥╬ℼ
┷╧╳
e®eciency
⑲㵅㭫⑆䁟㝗⑬⑆⑫䉐™
║╩╢┸╥╬ℼ┷╧╳㌵⑆㽤佀㉡䑸⑇㐰䄴䀭䩝㭽
⑬⑫℣║╩╢┸╥╬ℼ┷╧╳╇╢┸╥╬ℼ┷╧╳
ぬ䡌㝁⑇␢⑫℣╇╢┸╥╬ℼ┷╧╳ぬ㉳䕹㉁䉥䙾㐰
主⑫⑈䑤㭟⑫™║╩╢┸╥╬ℼ┷╧╳⑇㑘伢
⑫䁡⍏⍒⑲㱨⑃⑆䩝㭽⑬⑫℣②™䕹㉁䉥䙾
⑇㹵䉖䄫ぜ⑲㔯⑆™㽤佀╗╭┻┹⑲㽊②⑫⑈
㉄䜽⑇␢⑫℣
㹥┳ℼ╉
(typeI)
™③⑃⑈③╙ℼ┷╃┯⑊┿┤╗
⑇™䀸䀮⑬⑫┳ℼ╉䠾䨬䑸㍤㥧⑲䁪②⑫③⑇␢
⑫℣⍍⍏⍖䰿乡⑇ぅ㥦㈽⑬╚┤╭ℼ╉⑲䔾䅷™䥼
㥦␢⑈㍊䜼㠵┢╉╬┹䱡™㍆㱯║╩╡ℼ┿
⑲㤹㼷⑫℣
loop_start
decrypt[address]key
incaddress
deccounter
testcountercounter
jmploop_start
5 䤾㉁㱂㠳
5.1
┵╳╗╫┳ℼ╉
㨣㉳™䑳う┷┹╆╠䤾㉁㱂㠳䵑┳ℼ╉䀸䀮™
SMEG(simulatedmetamorphicencryptiongenerator)[4]
⑲䵑℣
SMEG
™䴭䰾⑊╡┿╢ℼ╕┣╃┯┳ℼ╉䀸
䀮㑯⌱⑄⑇␢⑪™
SMEG.Pathogen
⑤
SMEG.Queeg
⑊⑉┦┣╫┹䘱╗╭┰╩╠⑲┨╳┸╳⑈⑆䅈㥾
⑳⑇⑫℣䤾㉁㱂㠳⑇™
SMEG
⌵䉎䙱䙉㈽⑬
⅊
obfuscated)
┦┣╫┹┳ℼ╉⑲䀸䀮™䑪䵽㹚䱀㑯
⑨⑃⑆䥼㥦╫ℼ╁╳⑲㠡㵐⑫㩝䀸䀮⑬䁡㽴⑊⑉
⑲䡦㍓℣
SMEG
⑨⑃⑆䀸䀮⑬⑫┦┣╫┹㜲お
㈼⌳㱯┿┤╗┳ℼ╉䨬习⑬⑫℣
㹥┳ℼ╉
(typeII)
™╇ℼ┿䔾䅷⑈䥼㥦㑖䁜┢╉
╬╃┷╳┰⑲䵑⑫③⑇™⍍⍏⍖⑊⑉䔾䅷䰿乡⑲㭈
⑯™䐾䁜┢╉╬┹⑲㭘䑪™㍊䜼⑬⑆⑫╚┤╭ℼ
╉⑲䥼㥦⑫℣
loop_start
xchgdata[address]
decryptdatakey
xchg[address]data
incaddress
deccounter
testcountercounter
jmploop_start
loop_start
movdata[address]
decryptdatakey
mov[address]data
incaddress
deccounter
㹥┳ℼ╉™
typeI
⑇⍍⍏⍖䰿乡䉥⑯⑪⍘⍃
⍈⍇
(exchange)
䰿乡⑲䵑③⑇␢⑫℣
3
5.2 㠡㵐║╩╡ℼ┿
┷╧╳⌲⑄⑲䵑℣™㉡䑸⑇䀸䀮⑬䁡
㽴⑲㠵™㵌䉠⑤║╩╡ℼ┿㠡㵐䙱し䕙㭘䤸⑲㩮䀮
⑫⑈㉄䜽⑇␢⑫℣䤾㉁㱂㠳⑇㽴䉎
obfuscated
decipherroutine
⑲㭽⑄㠡䉎⑲™䑳う㱪䬡⑲䵑⑆㠡㵐
™䑪乌䔪⑊䤾㉁⑲㥔␦⑈⑲㉄䜽℣㨣㡥㉝䉪
⑈⑆™⑨⑪䀺敌⑄㥢䈮⑊║╩╡ℼ┿㠡㵐䬡⑤™═
┤╊╪┳ℼ╉㉲䁏⑊⑉㕳⑩⑬⑫℣
㠡㵐║╩╡ℼ┿™╚┤╭ℼ╉┢╉╬┹™㠰™䥼㥦
╫ℼ╁╳┹┿ℼ╈┢╉╬┹™⑆┫┦╳┿⌴⑄⑇
␢⑫℣
defineAaddress_of_payload
defineBkey
defineCaddress_loop_start
defineDcounter
㬲㥍䨸㠥
[1]Computerviruses: fromtheorytoapplications.
IRISInternationalseries,SpringerVerlag,ISBN
2-287-23939-1,juin2005.Englisheditionofthe
bookoncomputerviruses.
address_loop_start
payload_transfer(A)
decryptor(B)
parload_transfer(A)
branch(D)
goto_start(C)
[2]DiomidisSpinellis. :Reliableidenticationof
bounded-lengthvirusesisNP-complete.IEEE
TransactionsonInformationTheory,January2000
:280-284.
㹥™䥼㥦╫ℼ╁╳㤽䈤ぬ乣⑲㑊丬③⑇␢
⑫℣╫ℼ╗䙾⑫䄰™
dene
⑤⍍⍏⍖䰿乡⑲㭈⑃⑆║
╩╡ℼ┿⑲㔬䑪⑫℣
[3]PeterSzorandPeterFerrie.:HuntingforMetamor-
phic.VirusBulletinConference,September2001:
123-144.
5.3 㱂㠳㝫㉌
䄰䁡⑇⑇㵒™䥼㥦╫ℼ╁╳║╩╡ℼ┿㠡㵐
㩝䀸䀮⑬䁡㽴⑲䤽㰨℣䤽™⑬⑬䀸䀮
⑬┳ℼ╉™┳ℼ╉┿┤╗⅊⌱⑩⌳™䄰䁡㬲㹈⅋™
⑆䀸䀮⑬䁡㽴⑲㰨⑆⑫℣䙱䙉㈽⑬┳ℼ
╉┿┤╗⑤㠡㵐⑫║╩╡ℼ┿⑨⑃⑆䀸䀮⑬䁡
㽴䴽䅛お㹥㹥㈼⑫⑈䨬⑃℣™㱂㩝
㉲䁏⑲㥔⑃㝐㠳⑩™䘱㱂㠳䙢㡂⑪™䙱䙉㈽䑸
䕙⑲䔬䁚㰨⑆⑫⑈䅛䑪⑬⑫℣
[4]StephenPearce,”ViralPolymorphism”,paper
submittedforGSECversion1.4b,2003.
[5]”Network-levelpolymorphicshellcodedetection
usingemulation”MichalisPolychronakis,Kostas
G.AnagnostakisandEvangelosP.Markatos
DIMVA2006
[6]Semantics-AwareMalwareDetectionMihai
Christodorescu,SomeshJha,SanjitA.Seshia,
DawnSong,RandalE.BryantIEEESecurityand
Privacy2005
5.4 ⑈②⑈㨣㡥㉝䉪
┽╕╈┦┧┢ぅ㥦㈽⑈䙱䙉㈽™㴾䵨䉑┿╳║ℼ䀭
⑲㍎䩝⑫②㔻㵑⑈⑆䍭䱜⑬⑆™㙡䜯䥔
䀵┳ℼ╉㠡㵐⑲㉳䡲⑫䩽䬡⑈⑆䔬䵑⑬⑫⑈
䈿⑊⑪™㵅䵗䀭⑲䅽⑆⑆⑫℣┽╕╈┦┧┢䙱䙉㈽
㔻㵑™䡦㍓䔪㼷⑈␦䱌③␢⑪™䙱䙉㈽┳ℼ
╉㰫䘰䀸䀮㠦㕦™␢⑫䙃㱬⑊╎┦╏┦㵪ぢ┢
╳╀ℼ┰╩╳╉⑈㡀⑯⑬⑫┤╳┿ℼ╍╃╈┵┤╈⑇㘦
䴭⑬⑫⑈␢⑫™⑬⑩⑲䕽㥧䔪Ω㉊㍘䔪䨬䁏
™䤾㉁⑫②㠦㕦㥔⑯⑬⑫⑈㠽㭾䕀⑇㔩
⑇␢⑫℣䭜佀䨸⑇™䙱䙉㈽⑬䥼㥦╫ℼ╁╳䉐
⑆™ぬ㌬㵒㡬佀䵽䑪䵽㹚䱀㝏⑲䵑⑆™┳ℼ╉㵌䉠
⑈║╩╡ℼ┿⅊㠰™┢╉╬┹™┫┦╳┿䕹⅋㠡㵐⑲㥔
␦②䩽䬡佀⑲㰨℣䑳う㱪䬡⑇™䙱䙉㈽⑬
㱂㥔┳ℼ╉⑲㕕┢┻╳╖╫™䁡䤽㠽㝁㰰䩑㐹⑫℣
䩑㐹⑬䁡㜲䉐⑆™╬┾╪╥ℼ┷╧╳⑨⑪㵌䉠
⅊
de-obfucsation)
⑲㥔␦℣㰡™㠡㵐⑬╗╭┰╩╠
㤽䈤⑲㠵䕹㉁䉥䙾⑲㥔™║╩╡ℼ┿⑲㠡㵐⑫℣䕹
㉁䉥䙾䅠㩮╇╢┸╥╬ℼ┷╧╳⑈║╩╢┸╥╬ℼ
[7]StaticAnalysisofExecutablestoDetectMalicious
Patterns(2003)MihaiChristodorescuandSomesh
Jha12thUSENIXSecuritySymposium,August
2003
[8]HaoChen,DrewDean,andDavidWagner.Model
checkingonemillionlinesofCcode.InProceed-
ingsofthe11thAnnualNetworkandDistributed
SystemSecuritySymposium(NDSS),pages171–
185,SanDiego,CA,February2004.
[9]O.Sheyner,J.Haines,S.Jha,R.Lippmann,andJ.
M.Wing,”AutomatedGenerationandAnalysis
ofAttackGraphs”,IEEESymposiumonSecurity
andPrivacy,April2002.
4
generatedcode#1
TypeI BranchDecryptLoopTransfer
clausesgenerated 3378 30480 4292 30471
parafromgenerated1358 15935 1799 15935
paraintogenerated 1463 13366 1826 13362
generatedcode#2
TypeII BranchDecryptLoopTransfer
clausesgenerated 1158 1466 1258 719
parafromgenerated423 435 435 322
paraintogenerated 390 495 431 158
generatedcode#3
TypeIII BranchDecryptLoopTransfer
clausesgenerated 2751 10184 3072 909
parafromgenerated1186 5330 1436 335
paraintogenerated 803 3932 1008 185
generatedcode#4
TypeI BranchDecryptLoopTransfer
clausesgenerated 808 2890 923 703
parafromgenerated255 1125 268 255
paraintogenerated 271 1170 337 212
generatedcode#5
TypeI BranchDecryptLoopTransfer
clausesgenerated 6327 11990 9903 3235
parafromgenerated2669 3532 2748 1049
paraintogenerated 2227 3474 2686 892
䤽
1:
䕹㉁䉥䙾
(equationalreasoning)
⑨⑫║╩╡ℼ┿㠡㵐㭾䀸䀮⑬䁡㽴
5
[ Pobierz całość w formacie PDF ]