Since the vast majority of Trojan Houses have been disposed by means of packed PE files,detection for the packed PE files is studied. The Euclidean distance based method to identify packed PE files was improved. And on this basis, the method based on Minkowski distance is put forward to the classify PE files,and detect whether PE files are packed. The ex⁃perimental results show that,in comparison with the popular PEid tool,the method has higher detection rate,and its false alarm rate and false negative rate are also within the acceptable range.%针对绝大多数的木马都经过了PE文件加壳处理的情况,对PE文件的加壳检测进行了研究。对基于欧几里得距离的加壳PE文件识别方法进行改进,在此基础上提出了基于明可夫斯基距离对PE文件进行分类,检测PE文件是否加壳。实验表明,相对于流行的PEid工具,该法具有较高的检测率、误报率和漏报率也在可接受的范围内。
展开▼
