Pimflo:A process-interpretable approach for malicious function localization
The localization of key module in malicious software is a crucial step in reverse engineering.How-ever,most research focuses on determining whether a program is malicious,with little attention paid to the location of critical malicious modules.Furthermore,there are challenges related to the high difficulty of auto-mated localization and the complexity of explaining the location process.Therefore,this paper proposes a process-explanation-based method for locating malicious functions,termed Pimflo,which identifies and lo-cates malicious activities by analyzing specific memory information.The method involves the use of a dynamic sandbox for conducting forensic analysis on the memory of the target binary,detecting suspicious behavior through signature technology,and tracking its related process calls and stack information.By disassembling the target program to generate a Control Flow Graph(CFG),Pimflo reconstructs the call chain of the suspi-cious behavior,enabling the precise tracing and identification of the malicious source function.The paper evaluates the performance of Pimflo on 100 samples from VIRUSSHARE,demonstrating that Pimflo achieves a localization accuracy of 90.28%for malicious functions.Its interpretability and logic surpass those of existing non-scalar frameworks based on statistics,providing a more reliable solution to the localization of malicious software.
Binary analysisMalicious function localizationMemory forensicsStack tracingProcess inter-pretability
国家科技期刊平台
NSTL
万方数据
