• Title/Summary/Keyword: PE File Analysis

Search Result 8, Processing Time 0.021 seconds

PE Header Characteristics Analysis Technique for Malware Detection (악성프로그램 탐지를 위한 PE헤더 특성 분석 기술)

  • Choi, Yang-Seo;Kim, Ik-Kyun;Oh, Jin-Tae;Ryu, Jae-Cheol
    • Convergence Security Journal
    • /
    • v.8 no.2
    • /
    • pp.63-70
    • /
    • 2008
  • In order not to make the malwares be easily analyzed, the hackers apply various anti-reversing and obfuscation techniques to the malwares. However, as the more anti-revering techniques are applied to the malwares the more abnormal characteristics in the PE file's header which are not shown in the normal PE file, could be observed. In this letter, a new malware detection technique is proposed based on this observation. For the malware detection, we define the Characteristics Vector(CV) which can represent the characteristics of a PE file's header. In the learning phase, we calculate the average CV(ACV) of malwares(ACVM) and normal files(ACVN). To detect the malwares we calculate the 2 Weighted Euclidean Distances(WEDs) from a file's CV to ACVs and they are used to decide whether the file is a malware or not. The proposed technique is very fast and detection rate is fairly high, so it could be applied to the network based attack detection and prevention devices. Moreover, this technique is could be used to detect the unknown malwares because it does not utilize a signature but the malware's characteristics.

  • PDF

A Classification Method for Executable Files based on Comparison of Undocumented Information in the PE Header (실행파일 헤더내 문서화되지 않은 정보의 비교를 통한 실행파일 분류 방법)

  • Kim, Jung-Sun;Kang, Jung-Min;Kim, Kang-San;Shin, Wook
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.2 no.1
    • /
    • pp.43-50
    • /
    • 2013
  • File identification and analysis is an important process of computer forensics, since the process determines which subjects are necessary to be collected and analyzed as digital evidence. An efficient file classification aids in the file identification, especially in case of copyright infringement where we often have huge amounts of files. A lot of file classification methods have been proposed by far, but they have mostly focused on classifying malicious behaviors based on known information. In copyright infringement cases, we need a different approach since our subject includes not only malicious codes, but also vast number of normal files. In this paper, we propose an efficient file classification method that relies on undocumented information in the header of the PE format files. Out method is useful in copyright infringement cases, being applied to any sort of PE format executable file whether the file is malicious, packed, mutated, transformed, virtualized, obfuscated, or not.

Packed PE File Detection for Malware Forensics (악성코드 포렌식을 위한 패킹 파일 탐지에 관한 연구)

  • Han, Seung-Won;Lee, Sang-Jin
    • The KIPS Transactions:PartC
    • /
    • v.16C no.5
    • /
    • pp.555-562
    • /
    • 2009
  • In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.

A Chi-Square-Based Decision for Real-Time Malware Detection Using PE-File Features

  • Belaoued, Mohamed;Mazouzi, Smaine
    • Journal of Information Processing Systems
    • /
    • v.12 no.4
    • /
    • pp.644-660
    • /
    • 2016
  • The real-time detection of malware remains an open issue, since most of the existing approaches for malware categorization focus on improving the accuracy rather than the detection time. Therefore, finding a proper balance between these two characteristics is very important, especially for such sensitive systems. In this paper, we present a fast portable executable (PE) malware detection system, which is based on the analysis of the set of Application Programming Interfaces (APIs) called by a program and some technical PE features (TPFs). We used an efficient feature selection method, which first selects the most relevant APIs and TPFs using the chi-square ($KHI^2$) measure, and then the Phi (${\varphi}$) coefficient was used to classify the features in different subsets, based on their relevance. We evaluated our method using different classifiers trained on different combinations of feature subsets. We obtained very satisfying results with more than 98% accuracy. Our system is adequate for real-time detection since it is able to categorize a file (Malware or Benign) in 0.09 seconds.

How to Prevent Software crack for Control PE (PE Format 조작을 통한 소프트웨어 크랙 방지 기술)

  • Kim, Tae-hyoung;Jang, Jong-uk
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2017.05a
    • /
    • pp.249-251
    • /
    • 2017
  • In the past, People thought that software security was not important. but Skills of attacking software has growing up in fast, software crack fall down software industry growth and profit of copyright holder was declined. So I propose software crack prevention for changing PE Format. Hackers can analyze program in static. As we change the PE format, we can prevent static analysis. As I insert anti - debugging code the exe file, the program is protected from dynamic analysis.

  • PDF

Preprocessor Implementation of Open IDS Snort for Smart Manufacturing Industry Network (스마트 제조 산업용 네트워크에 적합한 Snort IDS에서의 전처리기 구현)

  • Ha, Jaecheol
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.5
    • /
    • pp.1313-1322
    • /
    • 2016
  • Recently, many virus and hacking attacks on public organizations and financial institutions by internet are becoming increasingly intelligent and sophisticated. The Advanced Persistent Threat has been considered as an important cyber risk. This attack is basically accomplished by spreading malicious codes through complex networks. To detect and extract PE files in smart manufacturing industry networks, an efficient processing method which is performed before analysis procedure on malicious codes is proposed. We implement a preprocessor of open intrusion detection system Snort for fast extraction of PE files and install on a hardware sensor equipment. As a result of practical experiment, we verify that the network sensor can extract the PE files which are often suspected as a malware.

A Study of Acquisition and Analysis on the Bios Firmware Image File in the Digital Forensics (디지털 포렌식 관점에서 BIOS 펌웨어 이미지 파일 수집 및 분석에 관한 연구)

  • Jeong, Seung Hoon;Lee, Yun Ho;Lee, Sang Jin
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.5 no.12
    • /
    • pp.491-498
    • /
    • 2016
  • Recently leakages of confidential information and internal date have been steadily increasing by using booting technique on portable OS such as Windows PE stored in portable storage devices (USB or CD/DVD etc). This method allows to bypass security software such as USB security or media control solution installed in the target PC, to extract data or insert malicious code by mounting the PC's storage devices after booting up the portable OS. Also this booting method doesn't record a log file such as traces of removable storage devices. Thus it is difficult to identify whether the data are leaked and use trace-back technique. In this paper is to propose method to help facilitate the process of digital forensic investigation or audit of a company by collecting and analyzing BIOS firmware images that record data relating to BIOS settings in flash memory and finding traces of portable storage devices that can be regarded as abnormal events.

A Study On Artifacts Analysis In Portable Software (무 설치 프로그램에서의 사용자 행위 아티팩트 분석)

  • Taeyeong Heo;Taeshik Shon
    • Journal of Platform Technology
    • /
    • v.11 no.2
    • /
    • pp.39-53
    • /
    • 2023
  • Non-installation program (hereinafter referred to as "portable program") is a program that can be used without an installation process, unlike general software. Since there is no separate installation process, portable programs have high mobility and are used in various ways. For example, when initial setup of multiple PCs is required, a portable program can be stored on one USB drive to perform initial setup. Alternatively, when a problem occurs with the PC and it is difficult to boot normally, Windows PE can be configured on the USB drive and portable programs can be stored for PC recovery. And the portable program does not directly affect PC settings, such as changing registry values, and does not leave a trace. This means that the portable program has high security. If a portable program is deleted after using it, it is difficult to analyze behavior in a general way. If a user used a portable program for malicious behavior, analysis in a general way has limitations in collecting evidence. Therefore, portable programs must have a new way of behavioral analysis that is different from ordinary installation software. In this paper, after installing the Windows 10 operating system on a virtual machine, we proceed with the scenario with a portable program of Opera and Notepad++. And we analyze this in various ways such as file analysis of the operating system and memory forensics, collect information such as program execution time and frequency, and conduct specific behavioral analysis of user.

  • PDF