发明名称 |
APPARATUS AND METHOD FOR INSPECTING NON-PORTABLE EXECUTABLE FILES |
摘要 |
PURPOSE: A non-PE(Portable Executable) file inspection device and a method thereof are provided to detect malicious non-PE files all at once by loading relative virtual addresses in accordance with the type of non-PE files and inspecting malicious file status. CONSTITUTION: A data loading part(110) loads malicious candidate address information related to the malicious code of a non-PE file. A program connection part(120) acquires normal address range information of a module loaded into a memory. The program connection part sets a malicious candidate address corresponding to the malicious candidate address information as a program breakpoint. If an event related to the breakpoint occurs, a maliciousness determination part(130) determines whether the next execution address belongs to the normal address range information. A database part(160) stores the set of malicious candidate address information. [Reference numerals] (100) Malicious file inspection device; (110) Data loading part; (120) Program connection part; (130) Maliciousness determination part; (140) Malicious shell code extraction part; (150) Cause identifying part; (160) Database part
|
申请公布号 |
KR101265173(B1) |
申请公布日期 |
2013.05.15 |
申请号 |
KR20120050156 |
申请日期 |
2012.05.11 |
申请人 |
AHNLAB, INC. |
发明人 |
LIM, CHA SUNG;LEE, JU SEOK |
分类号 |
G06F21/00;G06F11/28 |
主分类号 |
G06F21/00 |
代理机构 |
|
代理人 |
|
主权项 |
|
地址 |
|