CN112698837A - Method and device for matching dynamic behaviors with binary codes based on software genes - Google Patents
Method and device for matching dynamic behaviors with binary codes based on software genes Download PDFInfo
- Publication number
- CN112698837A CN112698837A CN202011643929.8A CN202011643929A CN112698837A CN 112698837 A CN112698837 A CN 112698837A CN 202011643929 A CN202011643929 A CN 202011643929A CN 112698837 A CN112698837 A CN 112698837A
- Authority
- CN
- China
- Prior art keywords
- matched
- software
- software gene
- dynamic behavior
- gene
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Apparatus Associated With Microorganisms And Enzymes (AREA)
Abstract
The invention provides a method and a device for matching dynamic behaviors and binary codes based on software genes, which relate to the technical field of data processing and comprise the following steps: acquiring a software gene of a sample to be matched and a dynamic behavior of the sample to be matched; determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior; comparing the software gene with a preset software gene to determine a target software gene, wherein the target software gene is the software gene with the highest similarity between the software gene and the preset software gene; the target software gene is converted into the assembly code, the assembly code corresponding to the dynamic behavior to be matched is obtained, and the technical problem that the matching efficiency of the dynamic behavior and the binary code is low in the prior art is solved.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a method and a device for matching dynamic behaviors and binary codes based on software genes.
Background
In the prior art, matching of dynamic behaviors and binary codes is manually implemented.
However, in the current matching method for the dynamic characteristic behaviors and the binary codes, a worker needs to have strong reverse analysis capability and skilled reverse tool use capability, and a function and an operand after disassembly need to have strong analysis capability, so that the technical problem that the matching efficiency of the dynamic behaviors and the binary codes is low in the prior art is caused.
No effective solution has been proposed to the above problems.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for matching a dynamic behavior with a binary code based on a software gene, so as to alleviate the technical problem of low matching efficiency between the dynamic behavior and the binary code in the prior art.
In a first aspect, an embodiment of the present invention provides a method for matching a dynamic behavior based on a software gene with a binary code, including: the method comprises the steps of obtaining a software gene of a sample to be matched and a dynamic behavior of the sample to be matched from a data storage system; determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior; comparing the software gene with the preset software gene to determine a target software gene, wherein the target software gene is the software gene with the highest similarity between the software gene and the preset software gene; and a disassembling step, namely converting the target software gene into an assembly code to obtain the assembly code corresponding to the dynamic behavior to be matched.
Further, before acquiring the software genes of the sample to be matched and the dynamic behavior of the sample to be matched from the data storage system, the method further comprises: and acquiring a dynamic behavior list of the sample to be matched, and storing the dynamic behavior list to a data storage system, wherein the dynamic behavior list comprises a plurality of dynamic behaviors to be matched.
Further, the method further comprises: and repeatedly executing the obtaining step, the determining step, the comparing step and the disassembling step until each dynamic behavior to be matched in the dynamic behavior list is traversed to obtain an assembly code corresponding to the dynamic behaviors to be matched.
Further, the method further comprises: and constructing a matching list based on the plurality of dynamic behaviors to be matched and assembly codes corresponding to the plurality of dynamic behaviors to be matched.
Further, the step of comparing the software gene with the preset software gene to determine a target software gene segment comprises: comparing the software gene with the preset software gene to determine the software gene to which the target software gene fragment belongs; and cutting the software gene to which the target software gene fragment belongs to obtain the target software gene fragment.
In a second aspect, an embodiment of the present invention further provides an apparatus for matching a dynamic behavior based on a software gene with a binary code, including: the device comprises a first acquisition unit, a determination unit, a comparison unit and a disassembly unit, wherein the acquisition unit is used for acquiring software genes of a sample to be matched and dynamic behaviors of the sample to be matched from a data storage system; the determining unit is used for determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior; the comparison unit is used for comparing the software genes with the preset software genes to determine target software genes, wherein the target software genes are the software genes with the highest similarity to the preset software genes; and the disassembling unit is used for converting the target software gene into an assembly code to obtain the assembly code corresponding to the dynamic behavior to be matched.
Further, the apparatus further comprises: the second obtaining unit is used for obtaining a dynamic behavior list of the sample to be matched before obtaining the software gene of the sample to be matched and the dynamic behavior of the sample to be matched from the data storage system, and storing the dynamic behavior list to the data storage system, wherein the dynamic behavior list comprises a plurality of dynamic behaviors to be matched.
Further, the apparatus further comprises: and the execution unit is used for controlling the acquisition unit, the determination unit, the comparison unit and the disassembly unit to repeatedly work until the dynamic behaviors to be matched in the dynamic behavior list are traversed to obtain assembly codes corresponding to the dynamic behaviors to be matched.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory is used to store a program that supports the processor to execute the method in the first aspect, and the processor is configured to execute the program stored in the memory.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps of the method in the first aspect.
In the embodiment of the invention, the software genes of the sample to be matched and the dynamic behavior of the sample to be matched are obtained; determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior; comparing the software gene with a preset software gene to determine a target software gene, wherein the target software gene is the software gene with the highest similarity between the software gene and the preset software gene; the target software gene is converted into the assembly code, the assembly code corresponding to the dynamic behavior to be matched is obtained, the purpose of matching the dynamic behavior with the binary code is achieved, the technical problem that the matching efficiency of the dynamic behavior and the binary code is low in the prior art is solved, and therefore the technical effect of improving the matching efficiency of the dynamic behavior and the binary code is achieved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flowchart of a method for matching dynamic behaviors with binary codes based on software genes according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for matching dynamic behavior of software genes to binary codes according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an apparatus for matching dynamic behavior of software-based genes with binary codes according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
in accordance with an embodiment of the present invention, there is provided an embodiment of a method for matching dynamic behavior to binary code based on software genes, it is noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than that illustrated herein.
Fig. 1 is a flowchart of a method for matching dynamic behavior of software genes with binary codes according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S102, an obtaining step, namely obtaining a software gene of a sample to be matched and a dynamic behavior of the sample to be matched from a data storage system;
it should be noted that the dynamic behavior is a behavior state expressed in the computer during the real-machine operation of the sample, such as: creating processes, creating files, communicating to the outside, modifying registries, anti-sandboxing, etc., dynamic behavior may be obtained through a sandbox detection system.
Step S104, determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior;
it should be noted that the preset software genes in the database correspond to various dynamic behaviors, and serve as a basis for comparison with the software genes of the sample to be matched.
The source of the predetermined software gene comprises two parts: firstly, manually analyzed samples find out software gene code data corresponding to dynamic behaviors in various samples and record the data to a database. Secondly, a sample which is artificially specially constructed or searched and only has a single dynamic behavior is extracted through an automatic software gene, and software gene code data corresponding to the dynamic behavior is recorded to a database.
Step S106, a comparison step, namely comparing the software genes with the preset software genes to determine target software gene segments, wherein the target software gene segments are the software gene segments with the highest similarity to the preset software genes in the software genes;
and S108, a disassembling step, namely converting the target software gene fragment into an assembly code to obtain the assembly code corresponding to the dynamic behavior to be matched.
It should be noted that the dynamic behavior of the sample in the execution process may be embodied on a certain code segment of the sample, for example, the sample may call a function "CreateFile ()" in the process of creating a file, and we consider that the disassembling code segment corresponding to CreateFile () can correspond to the dynamic behavior of creating the file.
In the embodiment of the invention, the software genes of the sample to be matched and the dynamic behavior of the sample to be matched are obtained; determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior; comparing the software gene with a preset software gene to determine a target software gene, wherein the target software gene is the software gene with the highest similarity between the software gene and the preset software gene; the target software gene is converted into the assembly code, the assembly code corresponding to the dynamic behavior to be matched is obtained, the purpose of matching the dynamic behavior with the binary code is achieved, the technical problem that the matching efficiency of the dynamic behavior and the binary code is low in the prior art is solved, and therefore the technical effect of improving the matching efficiency of the dynamic behavior and the binary code is achieved.
In the embodiment of the present invention, as shown in fig. 2, before performing step S102, the method further includes:
step S101, obtaining a dynamic behavior list of the sample to be matched, and storing the dynamic behavior list to a data storage system, wherein the dynamic behavior list comprises a plurality of dynamic behaviors to be matched.
In the embodiment of the present invention, it should be noted that the dynamic behaviors of the sample to be matched are generally multiple, and therefore, when there are multiple dynamic behaviors of the sample to be matched, before step S102 is executed, a dynamic behavior list including the multiple dynamic behaviors of the sample to be matched needs to be obtained, and then the dynamic behavior list is stored.
In the embodiment of the present invention, as shown in fig. 2, the method further includes:
step S110, repeatedly executing the obtaining step, the determining step, the comparing step, and the disassembling step until the dynamic behaviors to be matched in the dynamic behavior list are traversed to obtain an assembly code corresponding to the dynamic behaviors to be matched.
In the embodiment of the invention, when a plurality of dynamic behaviors of the sample to be matched are matched, each dynamic behavior to be matched can be sequentially matched according to the arrangement sequence of the plurality of dynamic behaviors to be matched in the dynamic behavior list. By executing steps S102 to S108 for each dynamic behavior to be matched and software gene, the purpose of matching a plurality of dynamic behaviors with binary codes can be achieved.
In an embodiment of the present invention, the method further comprises:
step S112, constructing a matching list based on the plurality of dynamic behaviors to be matched and the assembly codes corresponding to the plurality of dynamic behaviors to be matched.
In the embodiment of the invention, after the assembly codes corresponding to the plurality of dynamic behaviors to be matched are obtained, the matching list can be constructed by utilizing the plurality of dynamic behaviors to be matched and the assembly codes corresponding to the plurality of dynamic behaviors to be matched, so that a user can conveniently inquire and use the matching list.
In the embodiment of the present invention, step S106 includes the following steps:
step S11, comparing the software gene with the preset software gene to determine the software gene to which the target software gene fragment belongs;
and step S12, cutting the software gene to which the target software gene fragment belongs to obtain the target software gene fragment.
In the embodiment of the present invention, since the number of the software genes of the sample to be matched is generally multiple, the software genes belonging to the target software gene fragment in the multiple software genes are determined, and then the software genes belonging to the target software gene fragment are cut, so as to obtain the target software gene fragment.
Example two:
the embodiment of the invention also provides a device for matching the dynamic behavior and the binary code based on the software gene, which is used for executing the method for matching the dynamic behavior and the binary code based on the software gene provided by the embodiment of the invention.
As shown in fig. 3, fig. 3 is a schematic diagram of the device for matching dynamic behavior with binary code based on software genes, where the device for matching dynamic behavior with binary code includes: a first acquisition unit 10, a determination unit 20, a comparison unit 30 and a disassembly unit 40.
The first obtaining unit 10 is configured to obtain a software gene of a sample to be matched and a dynamic behavior of the sample to be matched from a data storage system;
the determining unit 20 is configured to determine a preset software gene in a database, where the preset software gene is a software gene corresponding to the dynamic behavior;
the comparison unit 30 is configured to compare the software gene with the preset software gene to determine a target software gene, where the target software gene is a software gene with the highest similarity between the software gene and the preset software gene;
and the disassembling unit 40 is configured to convert the target software gene into an assembly code, and obtain the assembly code corresponding to the dynamic behavior to be matched.
In the embodiment of the invention, the software genes of the sample to be matched and the dynamic behavior of the sample to be matched are obtained; determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior; comparing the software gene with a preset software gene to determine a target software gene, wherein the target software gene is the software gene with the highest similarity between the software gene and the preset software gene; the target software gene is converted into the assembly code, the assembly code corresponding to the dynamic behavior to be matched is obtained, the purpose of matching the dynamic behavior with the binary code is achieved, the technical problem that the matching efficiency of the dynamic behavior and the binary code is low in the prior art is solved, and therefore the technical effect of improving the matching efficiency of the dynamic behavior and the binary code is achieved.
Preferably, the apparatus further comprises: the second obtaining unit is used for obtaining a dynamic behavior list of the sample to be matched before obtaining the software gene of the sample to be matched and the dynamic behavior of the sample to be matched from the data storage system, and storing the dynamic behavior list to the data storage system, wherein the dynamic behavior list comprises a plurality of dynamic behaviors to be matched.
Preferably, the apparatus further comprises: and the execution unit is used for controlling the acquisition unit, the determination unit, the comparison unit and the disassembly unit to repeatedly work until the dynamic behaviors to be matched in the dynamic behavior list are traversed to obtain assembly codes corresponding to the dynamic behaviors to be matched.
Preferably, the apparatus further comprises: and the construction unit is used for constructing a matching list based on the plurality of dynamic behaviors to be matched and assembly codes corresponding to the plurality of dynamic behaviors to be matched.
Preferably, the comparison unit is configured to compare the software gene with the preset software gene to determine a software gene to which the target software gene segment belongs; and cutting the software gene to which the target software gene fragment belongs to obtain the target software gene fragment.
Example three:
an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory is used to store a program that supports the processor to execute the method described in the first embodiment, and the processor is configured to execute the program stored in the memory.
Referring to fig. 4, an embodiment of the present invention further provides an electronic device 100, including: the device comprises a processor 50, a memory 51, a bus 52 and a communication interface 53, wherein the processor 50, the communication interface 53 and the memory 51 are connected through the bus 52; the processor 50 is arranged to execute executable modules, such as computer programs, stored in the memory 51.
The Memory 51 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 53 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 52 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 4, but that does not indicate only one bus or one type of bus.
The memory 51 is used for storing a program, the processor 50 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 50, or implemented by the processor 50.
The processor 50 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 50. The Processor 50 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 51, and the processor 50 reads the information in the memory 51 and completes the steps of the method in combination with the hardware thereof.
Example four:
the embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program performs the steps of the method in the first embodiment.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A dynamic behavior and binary code matching method based on software genes is characterized by comprising the following steps:
the method comprises the steps of obtaining a software gene of a sample to be matched and a dynamic behavior of the sample to be matched from a data storage system;
determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior;
a comparison step, comparing the software gene with the preset software gene to determine a target software gene segment, wherein the target software gene segment is the software gene segment with the highest similarity to the preset software gene in the software gene;
and a disassembling step, namely converting the target software gene fragment into an assembly code to obtain the assembly code corresponding to the dynamic behavior to be matched.
2. The method of claim 1, wherein before obtaining the software genes of the sample to be matched and the dynamic behavior of the sample to be matched from a data storage system, the method further comprises:
and acquiring a dynamic behavior list of the sample to be matched, and storing the dynamic behavior list to the data storage system, wherein the dynamic behavior list comprises a plurality of dynamic behaviors to be matched.
3. The method of claim 2, further comprising:
and repeatedly executing the obtaining step, the determining step, the comparing step and the disassembling step until the dynamic behaviors to be matched in the dynamic behavior list are traversed to obtain assembly codes corresponding to the dynamic behaviors to be matched.
4. The method of claim 3, further comprising:
and constructing a matching list based on the plurality of dynamic behaviors to be matched and assembly codes corresponding to the plurality of dynamic behaviors to be matched.
5. The method of claim 1, wherein comparing the software gene with the predetermined software gene to determine a target software gene segment comprises:
comparing the software gene with the preset software gene to determine the software gene to which the target software gene fragment belongs;
and cutting the software gene to which the target software gene fragment belongs to obtain the target software gene fragment.
6. An apparatus for matching dynamic behavior with binary code based on software genes, comprising: a first acquisition unit, a determination unit, a comparison unit and a disassembly unit, wherein,
the acquisition unit is used for acquiring the software genes of the samples to be matched and the dynamic behaviors of the samples to be matched from a data storage system;
the determining unit is used for determining a preset software gene in a database, wherein the preset software gene is a software gene corresponding to the dynamic behavior;
the comparison unit is used for comparing the software genes with the preset software genes to determine target software genes, wherein the target software genes are the software genes with the highest similarity to the preset software genes;
and the disassembling unit is used for converting the target software gene into an assembly code to obtain the assembly code corresponding to the dynamic behavior to be matched.
7. The apparatus of claim 6, further comprising:
the second obtaining unit is used for obtaining a dynamic behavior list of the sample to be matched before obtaining the software gene of the sample to be matched and the dynamic behavior of the sample to be matched from the data storage system, and storing the dynamic behavior list to the data storage system, wherein the dynamic behavior list comprises a plurality of dynamic behaviors to be matched.
8. The apparatus of claim 7, further comprising:
and the execution unit is used for controlling the acquisition unit, the determination unit, the comparison unit and the disassembly unit to repeatedly work until the dynamic behaviors to be matched in the dynamic behavior list are traversed to obtain assembly codes corresponding to the dynamic behaviors to be matched.
9. An electronic device comprising a memory for storing a program that enables a processor to perform the method of any of claims 1 to 5 and a processor configured to execute the program stored in the memory.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of the claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011643929.8A CN112698837A (en) | 2020-12-31 | 2020-12-31 | Method and device for matching dynamic behaviors with binary codes based on software genes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011643929.8A CN112698837A (en) | 2020-12-31 | 2020-12-31 | Method and device for matching dynamic behaviors with binary codes based on software genes |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112698837A true CN112698837A (en) | 2021-04-23 |
Family
ID=75514211
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011643929.8A Pending CN112698837A (en) | 2020-12-31 | 2020-12-31 | Method and device for matching dynamic behaviors with binary codes based on software genes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112698837A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114064005A (en) * | 2021-11-18 | 2022-02-18 | 上海戎磐网络科技有限公司 | Method and device for identifying programming language type based on software gene |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108171059A (en) * | 2017-12-26 | 2018-06-15 | 中国人民解放军战略支援部队信息工程大学 | Malicious Code Detection and recognition methods and device based on software gene |
| CN110362968A (en) * | 2019-07-16 | 2019-10-22 | 腾讯科技(深圳)有限公司 | Information detecting method, device and server |
| CN110569629A (en) * | 2019-09-10 | 2019-12-13 | 北京计算机技术及应用研究所 | Binary code file tracing method |
| CN110618930A (en) * | 2019-08-12 | 2019-12-27 | 上海戎磐网络科技有限公司 | Global software gene database system, software gene processing method and medium |
-
2020
- 2020-12-31 CN CN202011643929.8A patent/CN112698837A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108171059A (en) * | 2017-12-26 | 2018-06-15 | 中国人民解放军战略支援部队信息工程大学 | Malicious Code Detection and recognition methods and device based on software gene |
| CN110362968A (en) * | 2019-07-16 | 2019-10-22 | 腾讯科技(深圳)有限公司 | Information detecting method, device and server |
| CN110618930A (en) * | 2019-08-12 | 2019-12-27 | 上海戎磐网络科技有限公司 | Global software gene database system, software gene processing method and medium |
| CN110569629A (en) * | 2019-09-10 | 2019-12-13 | 北京计算机技术及应用研究所 | Binary code file tracing method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114064005A (en) * | 2021-11-18 | 2022-02-18 | 上海戎磐网络科技有限公司 | Method and device for identifying programming language type based on software gene |
| CN114064005B (en) * | 2021-11-18 | 2023-05-12 | 上海戎磐网络科技有限公司 | Method and device for identifying programming language type based on software genes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109670091B (en) | Metadata intelligent maintenance method and device based on data standard | |
| CN109271315B (en) | Script code detection method, script code detection device, computer equipment and storage medium | |
| KR20150083627A (en) | Method for detecting malignant code of android by activity string analysis | |
| CN110727716B (en) | Identification method for integrated SDK in application, intelligent terminal and storage medium | |
| CN110866259A (en) | Method and system for calculating potential safety hazard score based on multi-dimensional data | |
| CN109101390B (en) | Timed task abnormity monitoring method based on Gaussian distribution, electronic device and medium | |
| CN115729817A (en) | Method and device for generating and optimizing test case library, electronic equipment and storage medium | |
| CN111090593A (en) | Method, device, electronic equipment and storage medium for determining crash attribution | |
| CN112698837A (en) | Method and device for matching dynamic behaviors with binary codes based on software genes | |
| CN110580220A (en) | method for measuring execution time of code segment and terminal equipment | |
| CN113094248B (en) | User behavior data analysis method and device, electronic equipment and medium | |
| CN111338864A (en) | Memory problem detection method and device, computer equipment and storage medium | |
| CN108304310B (en) | Log analysis method and computing device | |
| CN116149941A (en) | Monitoring method and device of server component, server and storage medium | |
| CN114398399A (en) | Retrieval method and device of management information base and electronic equipment | |
| CN112231194B (en) | Index abnormity root analysis method and device and computer readable storage medium | |
| CN112261139B (en) | Service data acquisition method and device and electronic equipment | |
| CN114490238A (en) | Method, system, terminal and storage medium for monitoring whole server diagnosis process | |
| CN111352825B (en) | Data interface testing method and device and server | |
| CN114020772A (en) | Query condition configuration method, system, electronic device and storage medium | |
| CN111931161A (en) | RISC-V processor based chip verification method, apparatus and storage medium | |
| CN113254248B (en) | Fault diagnosis method, system and computing device | |
| CN114780013B (en) | Identification method and device for touch screen operation, terminal equipment and medium | |
| CN110674839A (en) | Abnormal user identification method and device, storage medium and electronic equipment | |
| CN110801630A (en) | Cheating program determining method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |