请为我提供一个使用恶意行为检测进行病毒检测的程序来帮助我. [英] Please help me with a program for virus detection using detection of malicious behavior.

问题描述

我知道防病毒软件如何检测病毒.我读了一些小书:

http://www.antivirusworld.com/articles/antivirus.php

http://www.agusblog.com/wordpress/what是病毒签名仍在使用3.htm

检测恶意行为

作为一个注释，最近我遇到了一个名为" ThreatFire "以此目的.它做得很好.

我不了解的第一件事是该程序如何干预另一个程序之间的执行并提示用户其操作.是不是有点违规?
1. C#.NET是否适合做这种事情?
2. 解决方案

首先，要进行多少年的安全开发和防病毒工作?

直接开始吧，我不会选择第二个 ^nd 选项，因为它的工作方式有点像"ThreatFire"，只是您要研究算法然后研究程序行为顺序.为此，您需要从Windows®中P/调用基于Win32®的方法.

您可以使用C#进行此操作，除了我仍在处理我的AV项目之外，它可以像我所做的一样正常运行.如果您曾经使用签名创建数据库(DB)，请不要将文件创建为* .db文件，也不要将其创建为* .dat.

Dat文件更难编辑和修改，这就是为什么像Symantec这样的许多公司， GrisSoft和其他AV公司将其用于病毒签名.

病毒签名:

06 AF BC D8 10 E5 CD 88 96 85 F4 以上数据是HEX编辑器的字符串签名；当然，它是基于字节的数据. 06 = 0110(二进制).

无论如何，现在我将回答您的其他问题:

1..此类程序使用Windows®提供的Windows®动态链接库(dll)，因此它们使用基于Windows®或Win32®的API来监视程序.行为.

2.是， PC上的每个程序都有自己的虚拟内存量(有人将其解释为:"BOX中的虚拟内存")，无论如何，此内存量由操作系统(OS)中的内核和进程管理器保留，但是正如我之前告诉您的，您需要通过Windows®API的P/Invoke方法才能扫描内存. 3.是的，如果您只想C#可以正常工作根据AV DB签名来检查文件，但是一旦要检查正在运行的进程，就需要结合使用某些C ++，或者可以P/调用方法 AddressByEntryPoint()，从Windows®dll.

4..一些简单的开始是注意:可以使用MD5-hash在PC上对文件进行校验和，然后使用有效和无效的校验和(包括病毒名和感染名)创建一个db.

查看我已经回答过类似问题的答案 希望这对您有所帮助...

祝您有美好的一天……

最好的问候，
Fisnik

Hi,

I know how antivirus detects viruses. I read few aticles:

http://www.antivirusworld.com/articles/antivirus.php

http://www.agusblog.com/wordpress/what-is-a-virus-signature-are-they-still-used-3.htm

During this one month vacation I'm having. I want to learn & code a simple virus detection program: So, there are 2-3 ways (from above articles):

1. Virus Dictionary : Searching for virus signatures
2. Detecting malicious behavior

I want to take the 2nd approach. I want to start off with simple things.

As a side note, recently I encountered a software named "ThreatFire" for this purpose. It does a pretty good job.

1. 1st thing I don't understand is how can this program inter vent an execution of another between and prompt user about its action. Isnt it something like violation?
2. How does it scan's memory of other programs? A program is confined to only its virtual space right?
3. Is C# .NET correct for doing this kind of stuff?
4. Please post your ideas on how to go about it? Also mention some simple things that I could do.

解决方案

Hi –I think my information can help you.

First off, how many years of security development and antivirus & virus technique do you have?

Start off straight, I would not choose the 2^nd choice, since that works a bit like "ThreatFire", except that you study the algorithm and you study the program behavior sequence. To be able to do this, you need to P/Invoke Win32®-based methods from Windows®.

You can do this using C#, works fine, as I’ve done, except that I am still working with my AV project. If you ever make a Database (DB) with signatures, then please do not make the file as a *.db file make it as *.dat.

Dat-files are harder to edit and hack, it’s why many companies like Symantec, GrisSoft and others AV-companies use that for their virus signatures.

Virus signatures:

   06 AF BC D8 10 E5 CD 88 96 85 F4    

The above data is a string signature, of a HEX editor; of course it is Byte -based data.  
06 = 0110 (Binary).

Anyway, now I will answer your other questions:

1. Such programs use Windows® Dynamic Link Library (dll), which Windows® provides, so with other words they use Windows® or Win32®-based API for this to be able to monitor a programs behavior.

2. Yes, each program on the PC has its own amount of Virtual Memory (some explain it as: " virtual memory in a BOX"), anyway, this amount of memory is reserved by the Kernel and the Process Manager in the Operating System (OS), but as I told you before you need to P/Invoke methods from the Windows® API to be able to scan memory.  

3. Yes C# works fine if you only want to check files, based on the AV DB signatures, but as soon as you want to check a running Process, you’ll need to combine some C++ or you can P/Invoke the method AddressByEntryPoint(), from a Windows® dll.

4. Some simple things to start off with are: You can use the MD5-hash to make checksums of files on the PC, and then make a db with all those checksums as valid and invalid (the one which are the virus names and infections).

Check out my answer which I’ve already have answered similar questions here.

I hope this helps you…

Have a nice day…

Best regards,
Fisnik  

这篇关于请为我提供一个使用恶意行为检测进行病毒检测的程序来帮助我.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！