摘要
针对现有虚拟指令识别不准确、静态分析无法解析分支跳转、无法跨大版本应用的问题,提出一种基于符号执行的虚拟指令提取方法。该方法通过动态二进制插桩生成指令跟踪,对指令跟踪进行离线分析,根据虚拟机结构及跳转规则划分出Handler集合,采用符号执行技术对Handler进行语义分析,得到状态表达,最终利用启发式规则提取出虚拟指令。实验部分在5个测试程序和两种VMProtect版本上对该方法进行验证,相较于VMP分析插件和NoVmpy,虚拟指令识别率提升了26.72个百分点,准确率提升了41.09个百分点,并优化了分支跳转处理。实验结果表明,该方法有效提升了虚拟指令提取的准确性、完整性和稳健性。
In response to existing challenges,including inaccurate virtual instruction recognition,limitations in static analysis for branch jump resolution,and difficulties in cross-version applications,a symbolic execution-based virtual instruction extraction method is proposed.Instruction traces are generated through dynamic binary instrumentation by using this approach,followed by offline analysis of these traces.The handler sets are categorized according to the virtual machine structure and jump rules.Semantic analysis of the handlers is conducted using symbolic execution to derive state expressions.Ultimately virtual instructions are extrcted through heuristic rules.The proposed method is validated on five test programs across two versions of VMProtect,achieving 26.72 percentage point increase in virtual instruction recognition rate and 41.09 percentage point improvement in accuracy compared to VMP analysis plugins and NoVmpy,while also optimizing branch jump situation.The experimental results demonstrate that this method significantly enhances the accuracy,completeness,and robustness of virtual instruction extraction.
作者
张沈芊芊
董卫宇
林键
ZHANG Shenqianqian;DONG Weiyu;LIN Jian(Information Engineering University,Zhengzhou 450001,China)
出处
《信息工程大学学报》
2025年第1期83-89,共7页
Journal of Information Engineering University
基金
河南省自然科学基金(2472300420698)。
关键词
代码虚拟化
反混淆
虚拟指令
软件安全
逆向分析
code virtualization
deobfuscation
virtual instruction
software security
reverse analysis
