虚拟化混淆程序的指令提取方法  

An Instruction Extraction Method for Virtualization Obfuscated Program

作  者:张沈芊芊 董卫宇[1] 林键[1] ZHANG Shenqianqian;DONG Weiyu;LIN Jian(Information Engineering University,Zhengzhou 450001,China)

机构地区:[1]信息工程大学,河南郑州450001

出  处:《信息工程大学学报》2025年第1期83-89,共7页Journal of Information Engineering University

基  金:河南省自然科学基金(2472300420698)。

摘  要:针对现有虚拟指令识别不准确、静态分析无法解析分支跳转、无法跨大版本应用的问题,提出一种基于符号执行的虚拟指令提取方法。该方法通过动态二进制插桩生成指令跟踪,对指令跟踪进行离线分析,根据虚拟机结构及跳转规则划分出Handler集合,采用符号执行技术对Handler进行语义分析,得到状态表达,最终利用启发式规则提取出虚拟指令。实验部分在5个测试程序和两种VMProtect版本上对该方法进行验证,相较于VMP分析插件和NoVmpy,虚拟指令识别率提升了26.72个百分点,准确率提升了41.09个百分点,并优化了分支跳转处理。实验结果表明,该方法有效提升了虚拟指令提取的准确性、完整性和稳健性。In response to existing challenges,including inaccurate virtual instruction recognition,limitations in static analysis for branch jump resolution,and difficulties in cross-version applications,a symbolic execution-based virtual instruction extraction method is proposed.Instruction traces are generated through dynamic binary instrumentation by using this approach,followed by offline analysis of these traces.The handler sets are categorized according to the virtual machine structure and jump rules.Semantic analysis of the handlers is conducted using symbolic execution to derive state expressions.Ultimately virtual instructions are extrcted through heuristic rules.The proposed method is validated on five test programs across two versions of VMProtect,achieving 26.72 percentage point increase in virtual instruction recognition rate and 41.09 percentage point improvement in accuracy compared to VMP analysis plugins and NoVmpy,while also optimizing branch jump situation.The experimental results demonstrate that this method significantly enhances the accuracy,completeness,and robustness of virtual instruction extraction.

关 键 词:代码虚拟化 反混淆 虚拟指令 软件安全 逆向分析 

分 类 号:TP309.7[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象