APPARATUS AND METHOD FOR INSPECTING NON-PORTABLE EXECUTABLE FILES

摘要

PURPOSE: A non-PE(Portable Executable) file inspection device and a method thereof are provided to detect malicious non-PE files all at once by loading relative virtual addresses in accordance with the type of non-PE files and inspecting malicious file status. CONSTITUTION: A data loading part(110) loads malicious candidate address information related to the malicious code of a non-PE file. A program connection part(120) acquires normal address range information of a module loaded into a memory. The program connection part sets a malicious candidate address corresponding to the malicious candidate address information as a program breakpoint. If an event related to the breakpoint occurs, a maliciousness determination part(130) determines whether the next execution address belongs to the normal address range information. A database part(160) stores the set of malicious candidate address information. [Reference numerals] (100) Malicious file inspection device; (110) Data loading part; (120) Program connection part; (130) Maliciousness determination part; (140) Malicious shell code extraction part; (150) Cause identifying part; (160) Database part