Abstract: A method for detecting a maliciousness of a non-portable executable file includes the steps of: executing a non-portable executable file by running an application program corresponding to the non-portable executable file in a virtual environment; monitoring the execution of the application program; breaking the execution of the application program at a predetermined breakpoint during the monitoring of the execution of the application program; changing an executing flow of the application program in a breaking state of the execution of the application program and resuming the execution of the application program; and detecting a malicious behavior executed after resuming the execution of the application program.

Abstract: An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program. Further, the apparatus includes a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.

Abstract: An apparatus for detecting malicious shell codes using a debugging event includes an alert setting unit configured to set a mother program to run a non-executable file to trigger the debugging event when a mother process created by the mother program tries to execute a code with no execution attribute; and an information storage unit configured to store information on an address range in which modules to be used by the mother process are loaded in a memory. Further, the apparatus includes a malicious code determination unit configured to determine whether the non-executable file is malicious using the information on the address range when there occurs the debugging event.

Abstract: An apparatus for inspecting a non-PE file includes a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file; and a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program. Further, the apparatus includes a malicious code determination unit configured to determine whether a next execution address is within the normal address range information when there occurs an event derived from the breakpoint.

Abstract: An apparatus for inspecting a non-PE file includes a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file; and a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program. Further, the apparatus includes a malicious code determination unit configured to determine whether a next execution address is within the normal address range information when there occurs an event derived from the breakpoint.

Abstract: An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program. Further, the apparatus includes a maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.