请帮助我使用恶意行为检测来进行病毒检测的程序

发布于 2024-08-12 12:49:12 字数 1206 浏览 6 评论 0原文

我知道防病毒软件如何检测病毒。我读了几篇文章:

防病毒程序如何检测病毒?

http://www.antivirusworld.com/articles/antivirus.php

http://www.agusblog.com/wordpress /what-is-a-virus-signature-are-they-still-used-3.htm

http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures。 html

在我这一个月的假期里。我想学习&编写一个简单的病毒检测程序: 因此,有 2-3 种方法(来自上面的文章):

  1. 病毒字典:搜索病毒签名
  2. 检测恶意行为

我想采用第二种方法。我想从简单的事情开始。

顺便说一句,最近我遇到了一个名为“ThreatFire”的软件就是为了这个目的。它做得很好。

  1. 我不明白的第一件事是这个程序如何干预另一个程序的执行并提示用户其操作。这不是类似违规的事情吗?
  2. 它如何扫描其他程序的内存?程序仅限于其虚拟空间,对吗?
  3. C# .NET 适合做这种事情吗?
  4. 请发表您关于如何进行的想法?还提到一些我可以做的简单事情。

I know how antivirus detects viruses. I read few aticles:

How do antivirus programs detect viruses?

http://www.antivirusworld.com/articles/antivirus.php

http://www.agusblog.com/wordpress/what-is-a-virus-signature-are-they-still-used-3.htm

http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html

During this one month vacation I'm having. I want to learn & code a simple virus detection program:
So, there are 2-3 ways (from above articles):

  1. Virus Dictionary : Searching for virus signatures
  2. Detecting malicious behavior

I want to take the 2nd approach. I want to start off with simple things.

As a side note, recently I encountered a software named "ThreatFire" for this purpose. It does a pretty good job.

  1. 1st thing I don't understand is how can this program inter vent an execution of another between and prompt user about its action. Isnt it something like violation?
  2. How does it scan's memory of other programs? A program is confined to only its virtual space right?
  3. Is C# .NET correct for doing this kind of stuff?
  4. Please post your ideas on how to go about it? Also mention some simple things that I could do.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

迷雾森÷林ヴ 2024-08-19 12:49:12
  1. 发生这种情况是因为相关软件可能安装了特殊的驱动程序,以允许其进行低级内核访问,从而拦截并拒绝各种潜在的恶意行为。

  2. 通过拥有许多驱动程序所拥有的权限,这使其能够扫描另一个进程的内存空间。

    通过拥有

  3. 没有。 C# 需要已加载的操作系统的大部分内容。驱动程序需要首先加载。

  4. 了解驱动程序和内核级编程。 。 。我还没有这样做,所以我无法在这里提供更多帮助。

  1. This happens because the software in question likely has a special driver installed to allow it low level kernel access which allows it to intercept and deny various potentially malicious behavior.

  2. By having the rights that many drivers do, this grants it the ability to scan another processes memory space.

  3. No. C# needs a good chunk of the operating system already loaded. Drivers need to load first.

  4. Learn about driver and kernel level programming. . . I've not done so, so I can't be of more help here.

对风讲故事 2024-08-19 12:49:12

我认为系统调用是可行的方法,并且比实际尝试扫描多个进程的内存空间更可行。虽然我不是一个低级 Windows 人员,但似乎可以使用 Windows API 挂钩来完成此任务 - 与低级 API 搭配,可以修改系统范围内对系统调用的响应。这些钩子可以像内核模块一样安装,并拦截并可能修改系统调用。我发现一篇关于 CodeProject 的文章提供了更多信息。

在我参加的机器学习课程中,一个小组决定尝试类似于您在学期项目中描述的内容。他们使用程序最近进行的系统调用列表来确定正在执行的程序是否是恶意的,结果令人鼓舞(认为新样本的识别率为 95%)。在他们的项目中,他们在窗口调用列表上使用 SVM 进行训练,并使用它来确定合适的窗口大小。之后,您可以从不同的恶意程序收集系统调用列表,并在整个列表上进行训练,或者找到您认为的“恶意活动”并对其进行标记。这种方法最酷的一点(除了它基于机器学习这一事实之外)是窗口尺寸很小,而且许多经过训练的热切分类器(SVM、神经网络)执行速度很快。

不管怎样,如果这不是你的风格,看起来不需要 ML 也可以完成。如果您想了解有关该小组的更多信息,请告诉我 - 我也许可以挖掘出来。祝你好运!

I think system calls are the way to go, and a lot more doable than actually trying to scan multiple processes' memory spaces. While I'm not a low-level Windows guy, it seems like this can be accomplished using Windows API hooks- tie-ins to the low-level API that can modify system-wide response to a system call. These hooks can be installed as something like a kernel module, and intercept and potentially modify system calls. I found an article on CodeProject that offers more information.

In a machine learning course I took, a group decided to try something similar to what you're describing for a semester project. They used a list of recent system calls made by a program to determine whether or not the executing program was malicious, and the results were promising (think 95% recognition on new samples). In their project, they trained using SVMs on windowed call lists, and used that to determine a good window size. After that, you can collect system call lists from different malicious programs, and either train on the entire list, or find what you consider "malicious activity" and flag it. The cool thing about this approach (aside from the fact that it's based on ML) is that the window size is small, and that many trained eager classifiers (SVM, neural nets) execute quickly.

Anyway, it seems like it could be done without the ML if it's not your style. Let me know if you'd like more info about the group- I might be able to dig it up. Good luck!

信愁 2024-08-19 12:49:12
  1. Windows 提供了 API 来执行此操作(通常涉及在内核中运行至少部分代码)。如果您有足够的权限,您还可以将.dll注入其他进程。请参阅 http://en.wikipedia.org/wiki/DLL_injection

  2. 当您拥有上述权力时,您就可以做到这一点。您要么位于内核空间并可以访问所有内容,要么位于目标进程内部。

  3. 至少对于底层的内核内容,您需要比 C# 更底层的东西,比如 C 或 C++。我不确定,但您也许可以在 C# 应用程序中完成其余的一些操作。

  4. DLL 注入听起来像是最简单的起点。您仍然处于用户空间,并且不必学习如何生活在内核世界中(这确实是完全不同的世界)。

一般而言,关于主题的一些松散想法:

  • 您可以插入由跟踪进程发出的系统调用。通常认为进程在不发出系统调用的情况下无法执行任何“危险”的操作。
  • 你可以拦截它的网络流量并查看它连接到哪里,它发送什么,它接收什么,它接触哪些文件,哪些系统调用失败
  • 你可以扫描它的内存并在沙箱中模拟它的执行(真的很难
  • )系统调用插入,您可以模拟对系统调用的一些响应,但实际上只是沙箱进程,
  • 您可以扫描进程内存并从中提取一些一般特征(连接到网络,修改注册表,挂钩到Windows,枚举进程,等等),看看它是否看起来是恶意的,
  • 只需将整个东西放入沙箱中,看看会发生什么(已经为 Google Chrome 制作了一个很好的沙箱,而且它是开源的!)
  1. Windows provides APIs to do that (generally the involve running at least some of your code in kernel). If you have sufficient privileges, you can also inject a .dll into other process. See http://en.wikipedia.org/wiki/DLL_injection.

  2. When you have the powers described above, you can do that. You are either in kernel space and have access to everything, or inside the target process.

  3. At least for the low-level in-kernel stuff you'd need something more low-level than C#, like C or C++. I'm not sure, but you might be able to do some of the rest things in a C# app.

  4. The DLL injection sounds like the simplest starting point. You're still in user space, and don't have to learn how to live in the kernel world (it's completely different world, really).

Some loose ideas on topic in general:

  • you can interpose system calls issued by the traced process. It is generally assumed that a process cannot do anything "dangerous" without issuing a system call.
  • you can intercept its network traffic and see where it connects to, what does it send, what does it receive, which files does it touch, which system calls fail
  • you can scan its memory and simulate its execution in a sandbox (really hard)
  • with the system call interposition, you can simulate some responses to the system calls, but really just sandbox the process
  • you can scan the process memory and extract some general characteristics from it (connects to the network, modifies registry, hooks into Windows, enumerates processes, and so on) and see if it looks malicious
  • just put the entire thing in a sandbox and see what happens (a nice sandbox has been made for Google Chrome, and it's open source!)
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文