可移植可执行文件中的实时监控 [英] Real time monitoring in portable executable
问题描述
参考谢尔盖·亚历山德罗维奇·克鲁科夫爵士的回答在这里参考 [ ^ ]
我开始知道安装的普通可执行文件和可移植的可执行文件之间没有区别。我对它有几个疑问根据谢尔盖·亚历山德罗维奇·克鲁科夫爵士的建议,我将其作为一个单独的问题发布。
怀疑1:
如果便携式可执行文件可以在USB / SD卡中复制,然后如何制作许可证?
例如:
如果我的软件需要购买一段时间,用户购买我的软件后可以移植可执行文件,用户可以复制可移植的可执行文件并使其在另一台计算机上运行,因此用户购买了一年。所以我该如何防止这种情况?
疑惑2:
我还在学习Win32,但我对控制台应用程序有所了解。
怎么可能我更改了设置?
例如:
如果我的软件进行了一些磁盘清理,并有多个选项,如清理回收站,临时文件等,如果用户打勾清洁工将清理垃圾回收箱,并且通常会保存用户的选项,因此每次打开可执行文件时它都会记住用户的选择,并根据它进行工作。但对于便携式可执行文件,它通常像新程序一样打开。
怀疑3: [更新]
以下是对疑问的简要说明3.
我确实想创建一个防病毒软件。
我在5个月的编程经验中对我迄今为止尝试/学习/研究过的简短说明:
1. C ++是最好的语言防病毒,因为它比一个更快和其他语言,但我看到几个使用Python编程的开源项目,所以我开始学习python。
2.分析恶意软件静态有两种技术(分析不是打开可执行文件)和动态(与静态相反)。[我很清楚这两种技术很清楚]
3.用于动态分析我已经下载了各种分析工具像PE工作室,CFF探索者,OllyDbg等,(IDA pro是一个非常好的工具,因为我只有17年的学生,所以没有钱)
学会了跳跃,召唤等组装的一些基本功能。我知道高级功能是必需的,但我正在学习装配。
5.以便宜的价格带来一台新笔记本电脑。(英特尔处理器,windows)因为我没有信心在虚拟机上。
6.我对网络安全,密码学等有一定的了解,
7.我知道威胁的工作原理。(将在第二部分进行解释)。
8.学习一些英语概念,如正确的大写,请求,与经验丰富的人交谈,这对于获得我需要的谷歌和其他人非常有用。[但这不达到水平]
你可能会问我为什么要向你解释这个问题。我解释了这一点,因为我不会得到任何答案,例如你甚至没有做过单一的研究,来到这里提出这个问题,并在一位新手程序员之间做出一些分歧,他们问如何编写一个防病毒程序?并避免投票(进一步)。
所以这是我的问题:
1.浏览器劫持者是稳定的(即他们不会改变其位置,即将位于单个文件夹中)。因此,使用SHA-512(MD-5足够)算法并比较哈希值,我们可以轻松识别浏览器劫持者。
2.将应用相同的原则用于胭脂安全软件。
这是我来袭的地方:
1.而特洛伊木马,键盘记录器让它的位置发生变化。它可能通过受感染的USB / SD卡等传播,那么我如何启用实时监控来发现这些威胁?我知道哈希算法在这里没用。
2.你能不能给我一些C / C ++中的链接/关键字,这与在互联网上工作有关。因为我的英语很差,我会试着解释一下:
C ++用于访问网页,下载网页(用于更新),就像这样。只需要关键字即可。
请帮助我。这是我在5个月内学到的。
如果我错过了什么,请通知我。
我真诚地感谢所有帮助过我的人。
Reference to Sir Sergey Alexandrovich Kryukov's answer refer here[^]
I came to know that there is no difference between a normal executable which installs and a portable executable.I have several doubts on it and as per Sir Sergey Alexandrovich Kryukov's suggestion I posted this as a separate question.
Doubt 1:
If a portable executable can be copied in a USB/SD card then how to make a licence?
For example:
If my software needs to be purchased for a required period and an user buys for an year since my executable is portable after buying my software an user could copy the portable executable and can make it to run on another computer.So how can I prevent this?
Doubt 2:
I am still learning Win32 but I have knowledge in console application.
How could I change the settings?
For example:
If my software does some disk cleaning and has several options like cleaning recycle bin, Temporary files, etc., If an user ticks the recycle bin the cleaner will clean recycle bin and the user's option is usually saved so every time on opening the executable it remembers the users choice and does its work according to it.But for a portable executable it usually opens as like a new program.
Doubt 3:[Up-date]
Here is a brief explanation of doubt 3.
I did want to create an antivirus.
A short explanation of What I have tried/learned/researched so far in my 5 months of programming experience:
1. C++ is the best language to create an antivirus because it is faster than any other languages but I see several open source projects programmed using Python so I started learning python.
2. There are two techniques for analyzing a malware static(analyzing by not opening an executable) and dynamic(opposite to static).[I am quiet well aware of the two techniques]
3. for dynamic analysis I have downloaded various analyzer tools like PE studio, CFF exploresr, OllyDbg, etc.,(IDA pro is a very good tool by have less money since I am a student of only 17 years)
4. Learned some basic functions of assembly like jumping, calling. I know advanced functions are required but I am learning assembly.
5. Brought a new laptop at a cheap rate.(intel processor, windows) Because I have no faith on virtual machines.
6. I have a good general knowledge in Cyber security, cryptography, etc.,
7. I have knowledge of how threats work.(will be explained in the second section).
8. Learned some concepts in English like proper capitalization, requesting, conversing to an experienced person which is highly useful for getting what I need for Google and also from others.[but this is not up-to the level]
You may ask why Have I explained this to you. I explained this because I will not get any answers like "You have not even done single research and came here to ask this question" and to make some difference between a newbie programmer who asks "How to program an antivirus?" and to avoid down-voting(further).
So here is my problem:
1. Browser hijackers are stable(That is they will not change its position i.e will get located on a single folder). So using SHA-512(MD-5 is enough) algorithm and comparing the hash values we could easily identify the browser hijackers.
2. The same principle would be applied for rouge security software.
Here is where I struck:
1. while a Trojan,keylogger gets it location changed.It may spread through an infected USB/SD cards etc., so how do I enable a real time monitoring for finding these threats?I know hash algorithms are useless here.
2. Could you please give me some links/keywords in C/C++ which is related to working on internet.Since my English is poor I'll try to explain this:
C++ functions to access the webpage, download for a webpage(for updating) like this.Just keywords is enough.
Kindly help me with this. This is what I have learned in 5 months.
If I have missed anything kindly notify me.
My sincere Thank you to all who has helped me.
推荐答案
1。使用Google了解许可。通常,您需要某种方式来验证用户是否已为产品付款以及他们使用产品的时间。这通常意味着应用程序需要通过互联网与您的服务器联系。
2.用户选项可以保存在注册表或应用程序配置文件中。
3.不明白。
注意:此论坛适用于快速技术问题,请阅读代码项目快速解答常见问题解答 [ ^ ]。如果您想了解Windows操作系统和其他各种功能的工作原理,请使用Google进行研究,或者掌握有关主题的书籍。
1. Use Google to learn about licencing. Generally you need some way of verifying whether the user has paid for the product and how long they have been using it. This usually means the application needs to contact your server via the internet.
2. User options can be saved in the registry or application configuration files.
3. Don't understand.
Note: this forum is for Quick technical questions, please read Code Project Quick Answers FAQ[^]. If you wish to learn how Windows operating system and various other features work then please use Google for research, or get hold of books on the subjects.
,而木马,键盘记录器的位置发生了变化。它可能通过受感染的USB / SD卡等传播,那么如何启用实时监控来发现这些威胁呢?我知道哈希算法在这里没用。
while a Trojan, keylogger gets it location changed. It may spread through an infected USB/SD cards etc., so how do I enable a real time monitoring for finding these threats? I know hash algorithms are useless here.
首先,这个监控不能被称为实时。
据我记得,你在Windows上工作(如果我在这里弄错了,请更正我;但是当你提问时你应该更好地标记你的操作系统。)
在Windows上,你可以使用文件系统通知机制。你可以从这里开始:
FindFirstChangeNotification函数(Windows) [ ^ ]。
但是不要认为这会给你提供简单的解决方案。机制太重了,我不确定它是否足够可靠。将在文件系统驱动程序的级别上开发更高级的方法。粗略地说,它在CodeProject文章中有解释:文件系统过滤驱动程序教程 [< a href =http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorialtarget =_ blanktitle =New Window> ^ ]。
特别是,请参阅本文的注册文件系统更改通知部分。
另请参阅:
IoRegisterFsRegistrationChange例程(Windows驱动程序) [ ^ ,
内存取证的艺术:检测Windows,Linux中的恶意软件和威胁...... - Michael Hale Ligh,Andrew Case,Jamie Levy,Aaron Walters - Google图书 [ ^ ]。
您确定可以处理所有这些吗?所有这些问题都很困难。
First of all, this monitoring cannot be called "real-time".
As far as I remember, you work on Windows (correct me if I'm mistaken here; but you should better tag your OS when you ask questions).
On Windows, you can use file system notification mechanism. You can start here:
FindFirstChangeNotification function (Windows)[^].
But don't think it will give your the easy solution. The mechanism will be too heavy-weight, and I would not be sure it's reliable enough. More advanced approach would be developed on the level of the file system driver. Roughly, it's explained in this CodeProject article: File System Filter Driver Tutorial[^].
In particular, please see the section "Register a notification for file system changes" of this article.
See also:
IoRegisterFsRegistrationChange routine (Windows Drivers)[^],
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux ... - Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters - Google Books[^].
Are you sure you can handle all that? All those problems are quite difficult.
这篇关于可移植可执行文件中的实时监控的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
