Chinese Journal of Network and Information Security ›› 2017, Vol. 3 ›› Issue (2): 20-30.doi: 10.11959/j.issn.2096-109x.2017.00144

• Academic paper • Previous Articles     Next Articles

Successive memory image analysis method for malicious codes

Wei-ming LI1(),De-qing ZOU1,Guo-zhong SUN2   

  1. 1 School of Computer Science, Huazhong University of Science and Technology, Wuhan 430074, China
    2 Dawning Information Industry Co., Ltd., Beijing 100080, China
  • Revised:2016-10-23 Online:2017-02-01 Published:2017-02-10
  • Supported by:
    The National Natural Science Foundation of China(61272072);The National Basic Research Program of China (973 Program)(2016YFB0200300)

Abstract:

In order to detect the behavior of malicious code more comprehensively, the technology of continuous memory image analysis was proposed. The core idea was to run malicious code in QEMU virtual machine, to obtain the memory image of the continuous increment in the running period, and then to analyze the memory image of the base and increment as the memory image. On the basis of the analysis of a single memory image, different memory images were analysised comparatively. At the same time, the visualization tool D3.js was used to visually display the change of the memory state in the process of system operation. Finally, the prototype system was tested by 40 kinds of malicious code samples, and the number of malicious code behavior was increased by 19.7% than traditional sin-gle memory image.

Key words: malware, memory image, comparative analysis, data visualization

CLC Number: 

No Suggested Reading articles found!