编码使用防病毒签名为基础的技术 [英] Coding AntiVirus using signatures-based technique
问题描述
我想$ C C的防病毒软件$用于学习的目的。这将是签名型。我已经写了一个扫描仪,遍历所有系统文件和及牡丹内存映射为每个文件。我试图现在要做的,是让一个二进制签名(十六进制)从每个恶意文件(样本文件),所以我可以用我创建的数据库进行比较。 问题是什么呢? 我注意到,在商业防病毒软件卡巴斯基一样,例如,选择在任何地方位置的文件签名的二进制文件中。 现在假设我发现一个新的恶意文件,我选择了偏移0x8766其值为0x4F作为该恶意文件的签名。 现在如果我要检查它有那里的偏移0x8766没有在小文件中存在一个球¢大小的文件。这将是一个问题? 这是样品code再presents的方式,我会:
I want to code an AntiVirus for learning purposes. It will be signatures-based. I already wrote a scanner that loops through all system files and creats memory mapping for each file. What i am trying to do now, is to get a binary signature (in hex) from each malicious file (sample files) so i can compare it with the database i created. What is the problem now? I noticed that the commercial AntiViruses like Kaspersky for example, chooses a file signature from wherever location inside the binary file. Now suppose that i detected a new malicious file and i chose the offset 0x8766 which has the value 0x4F as a signature for that malicious file. now if i want to check a file which has a samll size where the offset 0x8766 does not exist in that small file .. this will be a problem?! this is sample code represents the way i am going:
hFile = ::CreateFile(State.Path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
0, OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN, 0);//open the file
if(hFile !=INVALID_HANDLE_VALUE){
hMap= ::CreateFileMapping(hFile, 0, PAGE_READONLY | SEC_COMMIT, 0, 0, 0);//create Mem mapping for the file in virtual memory
if( hMap!=NULL){
base = ::MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);//load the mapped file into the RAM
//start to compare some bytes (values) from mspaint.exe file in Win7
if( *((BYTE *)base + 0x1C3DF0)== 0x05 )
i++;
if( *((BYTE *)base + 0x25250C)== 0x21 )
i++;
if( *((BYTE *)base + 0x25272A)== 0x97 )
i++;
if(i==3){
// the file is malicious
}
另外一个问题:我需要我开始比较以及如何前映射整个签名数据库中的内存? 你认为什么样的签名必须包含哪些内容?文件大小......等等?任何其他建议
Another question: Do i need to map the whole signatures database in the ram before i start comparing and how? and what you suggest signature needs to contain? the file size ...etc? any other suggestions
推荐答案
签名一般不会太大,你可以搜索他们喜欢的这个。但是,请记住,如果你得到数百个在签名(或以上)的数千名,它成为不切实际的重新启动检查对每个单独的文件不同的签名。可以说,有使用启发式每个签名的水平,以决定是否要做一个新的水平检查,以证实或否认了比赛。
Signatures generally ain't too big, and you can search them like this. However, keep in mind that if you get hundreds upon thousands of signatures (or more), it becomes unrealistic to re-start check for different signatures on each individual file. You could say that there are levels of each signature used by heuristics to decide whether or not to do next level checking to confirm or deny the match.
这些签名将是非常复杂的,即,描述感染的文件的类型,可能的偏移位置等,从而将分级(或过滤)的方法来到达确切conlcusion
These signatures will be quite complex, i.e. describing type of infected file, possible offset locations and so on, thus going a hierarchical (or filtered) approach to arrive to definitive conlcusion.
这篇关于编码使用防病毒签名为基础的技术的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
