【作者】 陈惠羽；

【导师】 谢立； 茅兵；

【作者基本信息】 南京大学 ， 计算机应用， 2012， 硕士

【摘要】 随着信息世界的快速发展,rootkit、后门、木马等各种恶意程序以及基于这些恶意程序代码衍生出来的变种所带来的威胁日益严重。多年来,信息安全研究人员与恶意攻击者之间无时无刻不在进行着恶意代码的检测与反检测的游戏,一定程度上又可以说是针对程序中特定信息的逆向与反逆向的游戏。安全研究人员从这些特定信息中提取出恶意程序的特征签名并用来辅助检测malware,恶意攻击者也可以利用这些逆向出的特定信息来发现漏洞或开发新的变种。因而无论是安全研究人员还是恶意攻击者,采取合适的技术来保护自己的代码避免被逆向利用是非常必要的。目前用于保护程序信息主要手段有加密、混淆或随机化、可信代码隔离等等。本论文从随机化技术入手,首先分析了现有几种随机化技术的原理,并从其随机化强度、粒度、针对问题等角度讨论了他们的一些特点与不足,在此基础上我们研究对程序中数据结构体进行随机化的技术。根据针对问题场景的不同我们从两个角度对开展了这项工作。一方面站在安全研究人员的角度,在拥有源代码的情形下,我们讨论了不同类型的数据结构体的可随机化性,相应的设计实现了基于编译器的随机化工具,并将该工具应用到操作系统内核上以验证其对内核rootkit的防御效果。另外一方面,考虑在没有源代码的情形下,我们实现了二进制级的数据结构随机化技术,在保证程序正常运行的基础上隐藏程序中的数据结构信息,我们将该技术设计为一个程序多态变换工具,并将其应用到恶意程序上,使得恶意程序在程序传播、运行过程中动态的改变数据结构,从而躲避基于数据结构信息的恶意代码检测软件的检测。更多还原

【Abstract】 With the rapid growth of the information world, malwares such as rootkits, back-door, trojan and their variants have being threatening the cyber world more and more seriously. For so many years, the security researchers have being playing the malware detection and anti-detection games with the malicious attackers. So it also could say that they are playing games of reversing and anti-reversing some specific information. The security researchers want to extract signatures representing the characteristics of malwares. While the malicious code writers could also make use of the information re-versed from the security programs. Since now, there have been some common methods to protect the program information, such as encryption, obfuscation, randomization, trust code isolation and so on. This thesis starts from the randomization or obfuscation technology. First, we analyze the principle of the commonly used randomization tech-nologies and discuss their shortages form the perspective of strengths、granularities and applications of the randomization. Then, we do some research on the data struc-ture based randomization. On the one hand, suppose we have got the source codes, we first analyze the possibility of data structures to be randomized, and then design and implement a compiler-based tool to randomize them. Besides, we apply it to the Linux kernel and test its effectiveness by running some LKM rootkits on the random-ized kernel. On the other hand, suppose we just got the binary code, we discuss how to randomize data structures in the binary level. Under the premise of keep the orig-inal program safety, we design and implement a dynamic and tiny tool, which could be attached to every program, such as malwares, and randomize data structures within these programs every time it running or replicating. At last, malwares with their data structures randomized would have a dynamically changed data structure layouts.更多还原