èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽä»£ç é‡æž„å’Œé¡µé¢æ•…éšœæŠ€æœ¯çš„éšè”½è°ƒè¯•æœºåˆ¶ç ”ç©¶ä¸Žå®žçŽ°

åˆ†é¡µä¸‹è½½
åˆ†ç« ä¸‹è½½
æ•´æœ¬ä¸‹è½½
åœ¨çº¿é˜…è¯»
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ é™ˆæ²æºï¼›

ã€ä½œè€…åŸºæœ¬ä¿¡æ¯ã€‘ ç”µåç§‘æŠ€å¤§å¦ ï¼Œ è®¡ç®—æœºåº”ç”¨æŠ€æœ¯ï¼Œ 2010ï¼Œ ç¡•å£«

ã€æ‘˜è¦ã€‘ æ¶æ„ä»£ç ä½œä¸ºä¿¡æ¯æŠ€æœ¯çš„è¡ç”Ÿç‰©,å¯¹ç½‘ç»œå®‰å…¨é¢†åŸŸçš„å¨èƒæ—¥ç›Šä¸¥é‡ã€‚æ¶æ„ä»£ç åˆ†æžå·¥ä½œå…·æœ‰ååˆ†é‡å¤§çš„æ„ä¹‰ã€‚é€šè¿‡å¯¹æ¶æ„ä»£ç è¿è¡Œæœºåˆ¶çš„æ·±å…¥æŒ–æŽ˜å¯ä»¥èŽ·å¾—å…¶å†…éƒ¨è¯¦ç»†ä¿¡æ¯,è¿›è€Œä½œä¸ºæ¶æ„ä»£ç æ£€æµ‹çš„ä¾æ®ã€‚æ¶æ„ä»£ç åˆ†æžå·¥ä½œå¾€å¾€éœ€è¦å¾ˆå¤šåˆ†æžå·¥å…·,è°ƒè¯•å™¨ä½œä¸ºå…¶ä¸æœ€æœ‰åŠ›çš„æ¦å™¨,è¢«å¹¿æ³›åº”ç”¨äºŽç—…æ¯’åˆ†æž,è½¯ä»¶ç ´è§£ç‰é¢†åŸŸã€‚ä½†æ˜¯éšç€æ¶æ„ä»£ç ç¼–åˆ¶æŠ€æœ¯çš„å‘å±•,æ¶æ„ä»£ç ä¸ºäº†é¿å…æš´éœ²è‡ªèº«çš„å†…éƒ¨æœºåˆ¶,çº·çº·é‡‡ç”¨åè°ƒè¯•æŠ€æœ¯ä»¥å¯¹æŠ—åˆ†æžã€‚æ¤å¤–,éšç€è½¯ä»¶ä¿æŠ¤æŠ€æœ¯çš„è¿›æ¥,å¸‚é¢ä¸Šå‡ºçŽ°äº†è¶Šæ¥è¶Šå¤šçš„åŠ å£³å·¥å…·ã€‚è¿™äº›å·¥å…·ä½¿ç”¨ç®€å•æ–¹ä¾¿,å¾€å¾€è¢«æ¶æ„ä»£ç æ‰€åˆ©ç”¨ã€‚æ¶æ„ä»£ç é‡‡ç”¨çš„ä¸€ç³»åˆ—åè°ƒè¯•æ–¹æ³•æé«˜äº†è°ƒè¯•éš¾åº¦,å¢žåŠ åˆ†æžäººå‘˜çš„å·¥ä½œé‡,ç”šè‡³ä½¿å¾—è°ƒè¯•æ— æ³•è¿›è¡Œã€‚å› æ¤éœ€è¦ä¸€ç§æ–°åž‹è°ƒè¯•æœºåˆ¶,è¯¥æœºåˆ¶åœ¨å†…éƒ¨å®žçŽ°ä¸Šåº”å’Œå¸¸è§„è°ƒè¯•æŠ€æœ¯æœ‰æœ¬è´¨çš„ä¸åŒ,èƒ½ä»Žæ ¹æœ¬ä¸Šè§„é¿æ¶æ„ä»£ç å¸¸ç”¨çš„å„ç§åè°ƒè¯•æŠ€æœ¯ã€‚æœ¬æ–‡ä»¥ä¸Šè¿°éœ€æ±‚ä¸ºèƒŒæ™¯,æ€»ç»“æ¶æ„ä»£ç å¸¸ç”¨çš„å„ç§åè°ƒè¯•æŠ€æœ¯,é€šè¿‡å¯¹ä¸»æµè°ƒè¯•æŠ€æœ¯çš„å†…éƒ¨å®žçŽ°æœºåˆ¶è¿›è¡Œæ·±å…¥åˆ†æž,æŽ¢ç´¢å‡ºå½“å‰è°ƒè¯•æŠ€æœ¯çš„ä¸è¶³ä¹‹å¤„ã€‚åœ¨æ¤åŸºç¡€ä¸Š,æå‡ºä¸€ç§åŸºäºŽä»£ç é‡æž„å’Œé¡µé¢æ•…éšœçš„éšè”½è°ƒè¯•æœºåˆ¶ã€‚è¯¥è°ƒè¯•æœºåˆ¶é‡‡ç”¨é¡µé¢æ•…éšœæŠ€æœ¯å®žçŽ°æ–ç‚¹è®¾ç½®å’Œæ–ç‚¹è§¦å‘è¿‡ç¨‹,é‡‡ç”¨ä»£ç é‡æž„æŠ€æœ¯æ¥å®žçŽ°æ–ç‚¹å®šä½å’Œå•æ¥è°ƒè¯•è¿‡ç¨‹ã€‚æœ¬æ–‡æå‡ºçš„éšè”½è°ƒè¯•æœºåˆ¶ä¸ä¾èµ–æ“ä½œç³»ç»Ÿå’ŒCPUçš„å¸¸è§„è°ƒè¯•æ”¯æŒ,åˆ©ç”¨è¯¥æœºåˆ¶æ‰€è¿›è¡Œçš„ä»»ä½•è°ƒè¯•æ“ä½œéƒ½å¯¹è°ƒè¯•ç›®æ ‡é€æ˜Žã€‚ä¸Žä¼ ç»Ÿè°ƒè¯•æœºåˆ¶ç›¸æ¯”,è¯¥æŠ€æœ¯åœ¨è°ƒè¯•å¹³å°éšè”½æ€§å’Œæé«˜è½¯ä»¶å¯è°ƒè¯•æ€§ç‰æ–¹é¢å‡æ›´èƒœä¸€ç¹ã€‚å…·ä½“æ¥è¯´,æœ¬æ–‡çš„ä¸»è¦å·¥ä½œæœ‰:1)æå‡ºäº†éšè”½è°ƒè¯•æœºåˆ¶çš„æ€»ä½“æŠ€æœ¯æ–¹æ¡ˆ,è¯¦ç»†é˜è¿°äº†è°ƒè¯•æœºåˆ¶æ‰€é‡‡ç”¨çš„ä»£ç é‡æž„æŠ€æœ¯å’Œé¡µé¢æ•…éšœæŠ€æœ¯,ä»¥åŠè¿™äº›æŠ€æœ¯æ‰€ä¾èµ–çš„æ“ä½œç³»ç»Ÿå’ŒCPUæ”¯æŒã€‚2)é’ˆå¯¹æ€»ä½“æŠ€æœ¯æ–¹æ¡ˆæ‰€é¢ä¸´çš„æŠ€æœ¯éšœç¢,æå‡ºäº†ç›¸åº”çš„è§£å†³æ–¹æ³•ã€‚æœ¬æ–‡åœ¨ä¸Šè¿°å·¥ä½œçš„åŸºç¡€ä¸Šè®¾è®¡äº†ä¸€ä¸ªéšè”½è°ƒè¯•ç³»ç»Ÿ,ç»™å‡ºäº†è¯¥ç³»ç»Ÿçš„æ€»ä½“æž¶æž„å’Œå·¥ä½œæµç¨‹ã€‚å¹¶è¯¦ç»†é˜è¿°äº†ç³»ç»Ÿå„ä¸ªåŠŸèƒ½æ¨¡å—çš„è®¾è®¡ä¸Žå®žçŽ°ã€‚3)æœ¬æ–‡å¯¹ä¸Šè¿°çš„éšè”½è°ƒè¯•ç³»ç»Ÿè¿›è¡Œè¯•éªŒéªŒè¯,ç€é‡å¯¹è°ƒè¯•ç³»ç»Ÿçš„åŠŸèƒ½å’Œéšè”½æ€§è¿›è¡Œäº†æµ‹è¯•ã€‚æœ€åŽå¯¹å…¨æ–‡åšäº†æ€»ç»“å¹¶å®¢è§‚è¯„ä»·äº†éšè”½è°ƒè¯•ç³»ç»Ÿçš„ä¼˜ç‚¹å’Œä¸è¶³,æŒ‡å‡ºå¯¹åŽç»å·¥ä½œçš„å±•æœ›ã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ As the derivative of information technologies, malicious codes threaten network security seriously. Analysis of malicious code has a very great significance; we can get the internal details through deep study of the operating mechanism of malicious codes. Then, what we got can be used as a evidence of malicious code detection. Malicious code analysis often requires a lot of tools. Debuggers, as one of the most powerful weapon, are widely used in virus analysis, software crack and other fields. But with the development of technology, malicious code generally use many anti-debugging techniques to avoid exposure their own internal mechanisms. In addition, with the development of software protection technologies, more and more pack tools came out into the market. These tools are easy to use, so are often used by malicious code to avoid debugger analysis. These anti-debugging techniques used by malicious code make it much difficult to analysis these malicious codes. And what is more, makes the debugging can not go on. Thus, a new type of debugging mechanism is required, which is essentially different from regular debugging tools in internal implementation mechanism, that can be used to anti those anti-debugging techniques that used by malicious codes.In this thesis, on the context of the above requirements, we sum up all kinds of anti-debugging techniques of malicious code and with the cooperation of research of mainstream debugging technologies and its internal mechanism. We find out the shortcomings of the current debugging techniques. Then we propose a stealthy debugging mechanism with the help of code reconstruction and page fault technique, the mechanism uses the page fault debugging technology to set breakpoints and breakpoint triggering processes, using the code reconstruct technology to achieve breakpoint positioning and single-step debugging process. The debugging mechanism proposed in this thesis will not make any change on the target programâ€™s code space, while subtle debugging mechanism to achieve and without conventional operating system and CPU debugging support. Carried out using the mechanism of any debugging operations are transparent to the debug target. Compared with traditional debugging mechanisms, this technology are superior in terms of hidden and performanceã€‚Specifically, the main works of this thesis are:1) Presents a stealthy debugging mechanism, gives out details of page fault technique and reconstruct technique used by this mechanism, and also includes operating system and CPU that involved.2) Puts forward the solutions for the technical barriers of the overall technical program .Based on the above-mentioned works, we design and implement a stealthy debugging system, give out the systemâ€™s overall architecture and its workflow.3) Tests the stealthy debugging system, especially on the commissioning function of the system and healthy testing. Finally this thesis makes a summary on advantages and shortcomings of the system and points out the prospects for this field.æ›´å¤š è¿˜åŽŸ

ã€å…³é”®è¯ã€‘ æ¶æ„ä»£ç ï¼› éšè”½è°ƒè¯•ï¼› ä»£ç é‡æž„ï¼› é¡µæ•…éšœï¼›
ã€Key wordsã€‘ Malicious codeï¼› Stealth-debugï¼› Code reconstructï¼› Page faultï¼›

ã€ç½‘ç»œå‡ºç‰ˆæŠ•ç¨¿äººã€‘ ç”µåç§‘æŠ€å¤§å¦

ã€åˆ†ç±»å·ã€‘TP393.08
ã€ä¸‹è½½é¢‘æ¬¡ã€‘58
æ”»è¯»æœŸæˆæžœ

çŸ¥ç½‘èŠ‚ä¸‹è½½

èŠ‚ç‚¹æ–‡çŒ®ä¸ï¼š

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

æœ¬æ–‡çš„å¼•æ–‡ç½‘ç»œ

èŠ‚ç‚¹æ–‡çŒ®

èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽä»£ç é‡æž„å’Œé¡µé¢æ•…éšœæŠ€æœ¯çš„éšè”½è°ƒè¯•æœºåˆ¶ç ”ç©¶ä¸Žå®žçŽ°

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

åŸºäºŽä»£ç é‡æž„å’Œé¡µé¢æ•…éšœæŠ€æœ¯çš„éšè”½è°ƒè¯•æœºåˆ¶ç ”ç©¶ä¸Žå®žçŽ°