2

我知道防病毒软件如何检测病毒。我读了几篇文章:

防病毒程序如何检测病毒?

http://www.antivirusworld.com/articles/antivirus.php

http://www.agusblog.com/wordpress/what-is-a-virus-signature-are-they-still-used-3.htm

http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html

在这一个月的假期里,我有。我想学习和编写一个简单的病毒检测程序:所以,有2-3种方法(来自上面的文章):

  1. 病毒字典:搜索病毒特征
  2. 检测恶意行为

我想采取第二种方法。我想从简单的事情开始。

作为旁注,最近我遇到了一个名为“ ThreatFire ”的软件。它做得很好。

  1. 我不明白的第一件事是该程序如何干预另一个之间的执行并提示用户其操作。不就是违规之类的吗?
  2. 它如何扫描其他程序的内存?程序仅限于其虚拟空间对吗?
  3. C# .NET 是否适合做这种事情?
  4. 请发表你的想法如何去做?还提到一些我可以做的简单的事情。
4

3 回答 3

5

  1. 发生这种情况是因为有问题的软件可能安装了一个特殊的驱动程序,以允许它进行低级内核访问,从而拦截和拒绝各种潜在的恶意行为。

  2. 通过拥有许多驱动程序所拥有的权限,这使其能够扫描另一个进程的内存空间。

  3. 不,C# 需要大量已加载的操作系统。驱动程序需要先加载。

  4. 了解驱动程序和内核级编程。. . 我还没有这样做,所以我不能在这里提供更多帮助。

于 2009-11-26T03:12:42.820 回答
3

我认为系统调用是可行的方法,并且比实际尝试扫描多个进程的内存空间更可行。虽然我不是低级别的 Windows 人,但似乎这可以使用 Windows API 挂钩来完成 - 将低级别 API 绑定到可以修改系统范围对系统调用的响应。这些钩子可以像内核模块一样安装,并拦截并可能修改系统调用。我在 CodeProject 上找到了一篇提供更多信息的文章。

In a machine learning course I took, a group decided to try something similar to what you're describing for a semester project. They used a list of recent system calls made by a program to determine whether or not the executing program was malicious, and the results were promising (think 95% recognition on new samples). In their project, they trained using SVMs on windowed call lists, and used that to determine a good window size. After that, you can collect system call lists from different malicious programs, and either train on the entire list, or find what you consider "malicious activity" and flag it. The cool thing about this approach (aside from the fact that it's based on ML) is that the window size is small, and that many trained eager classifiers (SVM, neural nets) execute quickly.

Anyway, it seems like it could be done without the ML if it's not your style. Let me know if you'd like more info about the group- I might be able to dig it up. Good luck!

于 2009-11-29T06:51:57.907 回答
1

  1. Windows provides APIs to do that (generally the involve running at least some of your code in kernel). If you have sufficient privileges, you can also inject a .dll into other process. See http://en.wikipedia.org/wiki/DLL_injection.

  2. When you have the powers described above, you can do that. You are either in kernel space and have access to everything, or inside the target process.

  3. At least for the low-level in-kernel stuff you'd need something more low-level than C#, like C or C++. I'm not sure, but you might be able to do some of the rest things in a C# app.

  4. The DLL injection sounds like the simplest starting point. You're still in user space, and don't have to learn how to live in the kernel world (it's completely different world, really).

Some loose ideas on topic in general:

  • you can interpose system calls issued by the traced process. It is generally assumed that a process cannot do anything "dangerous" without issuing a system call.
  • you can intercept its network traffic and see where it connects to, what does it send, what does it receive, which files does it touch, which system calls fail
  • you can scan its memory and simulate its execution in a sandbox (really hard)
  • with the system call interposition, you can simulate some responses to the system calls, but really just sandbox the process
  • you can scan the process memory and extract some general characteristics from it (connects to the network, modifies registry, hooks into Windows, enumerates processes, and so on) and see if it looks malicious
  • just put the entire thing in a sandbox and see what happens (a nice sandbox has been made for Google Chrome, and it's open source!)
于 2009-12-03T12:16:14.150 回答