摘要
近年来,脚本程序被广泛应用于计算机领域.脚本程序因其功能强大,执行效率高,相比二进制程序编写更为简单,体积更小,所以在当前网络环境中的使用愈加频繁.目前脚本的混淆技术主要包括编码混淆、结构混淆和加密混淆3种主要类型.然而,现有的脚本混淆方式特征较为明显,存在被反混淆风险,一旦脚本被反混淆,其功能很容易被分析和理解.因此,提出了一种抗语义分析的脚本融合技术,通过将具有普通功能的掩体代码与需要保护的目标代码分块后进行深度融合,融合后的代码同时包含两个脚本的代码,不同脚本之间的语义和逻辑相互交错、相互依赖,使语义分析变得更加困难.对融合后代码的理解和分析需要更加强大的语义推理和上下文理解能力.针对PowerShell脚本的实验表明,融合后脚本程序的控制流循环复杂度平均提升了 81.51%,极大提高了代码的混淆强度.该技术能够有效地模糊脚本语义,改变控制流特征,在面对ChatGPT的语义分析中表现出良好的效果,目标代码的核心功能难以被分析理解,从而提高了脚本程序的存活性和持久性.
Abstract
In recent years,script programs have been widely used in the field of computer science.Script programs are increasing-ly being used in the current network environment due to their powerful functionality and high execution efficiency,simpler writing and smaller file size than binary programs.Currently,the main types of script obfuscation techniques include encoding obfusca-tion,structural obfuscation,and encryption obfuscation.However,existing script obfuscation methods have obvious features and are at risk of being deobfuscated.Once a script is deobfuscated,its functionality can be easily analyzed and understood.To address this issue,an anti-semantic analysis script fusion technique is proposed.By deeply merging camouflage code with the target code that needs to be protected after dividing them into blocks,the fused code contains the code from both scripts,and the semantics and logic of different scripts are intertwined and interdependent,making semantic analysis more difficult.Understanding and ana-lyzing the fused code requires stronger semantic reasoning and contextual understanding capabilities.Experimental results on PowerShell scripts show that the control flow complexity of the fused script programs is increased by 81.51%on average,and the obfuscation strength of the code is greatly enhanced.This technique effectively blurs the script's semantics,alters control flow characteristics,and performs well in the face of semantic analysis by ChatGPT.
维普
万方数据