四川大学学报(自然科学版)2024,Vol.61Issue(5):60-68,9.DOI:10.19907/j.0490-6756.2024.052004
Pimflo:基于过程解释的恶意函数定位方法
Pimflo:A process-interpretable approach for malicious function localization
摘要
Abstract
The localization of key module in malicious software is a crucial step in reverse engineering.How-ever,most research focuses on determining whether a program is malicious,with little attention paid to the location of critical malicious modules.Furthermore,there are challenges related to the high difficulty of auto-mated localization and the complexity of explaining the location process.Therefore,this paper proposes a process-explanation-based method for locating malicious functions,termed Pimflo,which identifies and lo-cates malicious activities by analyzing specific memory information.The method involves the use of a dynamic sandbox for conducting forensic analysis on the memory of the target binary,detecting suspicious behavior through signature technology,and tracking its related process calls and stack information.By disassembling the target program to generate a Control Flow Graph(CFG),Pimflo reconstructs the call chain of the suspi-cious behavior,enabling the precise tracing and identification of the malicious source function.The paper evaluates the performance of Pimflo on 100 samples from VIRUSSHARE,demonstrating that Pimflo achieves a localization accuracy of 90.28%for malicious functions.Its interpretability and logic surpass those of existing non-scalar frameworks based on statistics,providing a more reliable solution to the localization of malicious software.关键词
二进制分析/恶意函数定位/内存取证/堆栈追踪/过程可解释性Key words
Binary analysis/Malicious function localization/Memory forensics/Stack tracing/Process inter-pretability分类
信息技术与安全科学引用本文复制引用
范晓宇,王俊峰..Pimflo:基于过程解释的恶意函数定位方法[J].四川大学学报(自然科学版),2024,61(5):60-68,9.基金项目
国家重点研发计划(2019QY1400) (2019QY1400)
国家自然科学基金(U2133208) (U2133208)
四川省科技厅重点研发项目(2023YFG0290) (2023YFG0290)
四川大学-泸州市人民政府战略合作项目(2022CDLZ-5) (2022CDLZ-5)
