ABSTRACT
ABSTRACT: Bochs is an open source IA-32 (x86) emulator written in C++ that simulates the entire PC platform, including CPU, I/O devices, memory, and BIOS. This paper presents a method to acquire the behavior of a malicious code based on the Bochs virtual machine. It intercepts the instruction stream and data stream information conditionally when a malicious code is running in Bochs by redesigning the Bochs system, and then it records and parses the intercepted information. It also gets the system call information by linear address analysis so as to provide the executed system calls of a malicious code for the following behavior analysis. Experiments show that this method can effectively acquire the behavior characteristics of malicious codes.
