C语言程序被检测为病毒
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\nUnion = %d",sizeof(b));
printf("\nStructure = %d",sizeof(c));
getch();
}
我已将此程序另存为virus.cpp。我正在使用 Turbo C 编译器来编译该程序并从 Turbo C (Ctrl + F9) 运行。
我使用的是 Windows 7,并且已安装 Avira AntiVir 病毒系统。
当我尝试运行上面的程序时,它创建了一个蠕虫(DOS/Candy)。我相信程序没有任何问题。
现在有一些特别的东西。执行相同的程序,但有以下差异。这里唯一的区别是 \n 之间的空格:
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\n Union = %d",sizeof(b));
printf("\n Structure = %d",sizeof(c));
getch();
}
区别只是 \n 和空格。我的问题是,为什么我的简单程序被检测为病毒?
这是另一个代码示例,这次是 C++:
#include<iostream.h>
#include<conio.h>
class A
{
int a,b;
public:
A()
{
a=0;b=0;
}
A(int x)
{a=x;
b=0;
}
A(int x,int y)
{
a=x;
b=y;
}
~A()
{
cout<<"All things are deleted.";
}
void get()
{
cout<<"\nA = "<<a;
cout<<"\nB = "<<b;
}
};
void main()
{
A a1(5,10);
clrscr();
a1.get();
getch();
}
当我运行该程序时,它给出“病毒警告” - 即使它不是病毒。现在,悲剧是当你删除析构函数时,它不会将其检测为病毒。
这是屏幕截图和类似的问题:
< a href="http://i41.tinypic.com/9sdjb8.jpg" rel="nofollow noreferrer">替代文本
问题是如何实现,以及为什么?
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\nUnion = %d",sizeof(b));
printf("\nStructure = %d",sizeof(c));
getch();
}
I have saved this program as virus.cpp. I am using Turbo C compiler to compile this program and run from Turbo C (Ctrl + F9).
I am using Windows 7 and I have installed Avira AntiVir virus system.
When I tried to run above program, it creates a worm (DOS/Candy). I believe there is nothing wrong in program.
Now here is something special. Execute the same program with following difference. Here the only difference is space between \n:
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\n Union = %d",sizeof(b));
printf("\n Structure = %d",sizeof(c));
getch();
}
The difference is only \n and space. My question is, why is my simple program is detected as virus?
Here is another code sample, this time for C++:
#include<iostream.h>
#include<conio.h>
class A
{
int a,b;
public:
A()
{
a=0;b=0;
}
A(int x)
{a=x;
b=0;
}
A(int x,int y)
{
a=x;
b=y;
}
~A()
{
cout<<"All things are deleted.";
}
void get()
{
cout<<"\nA = "<<a;
cout<<"\nB = "<<b;
}
};
void main()
{
A a1(5,10);
clrscr();
a1.get();
getch();
}
When I run this program it gives "Virus Warning" - Even it is not an virus. Now, the tragedy is when you remove destructors, it won't detect it as virus.
Here is the screen shot and similar question:
C Language - \n - creating virus
The question is how, and why?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
病毒扫描程序使用启发式方法和签名来检测漏洞。误报是不可避免的。你的程序似乎触发了启发式。据推测,其校验和、文件大小或其他特征与已知病毒匹配。事实证明,一个小的改变就足以解决问题。
编辑调用您的应用程序Virus.exe是一个非常不幸的选择,我认为它会快速触发大多数病毒扫描程序(尽管它肯定不是真正的病毒扫描程序的完美名称)病毒 ...)。
Virus scanners use heuristics and signatures to detect vulnerabilities. False positives are unavoidable. Your program seems to trigger the heuristic. Presumably its checksum, file size or other characteristics match a known virus. This is seconded by the fact that a small change is sufficient to resolve the problem.
EDIT Calling your application Virus.exe is a pretty unfortunate choice, and I'd presume it will trigger most virus scanners quickly (although it's certainly not a perfect name for a real virus ...).
看起来像是假阳性。由于现代病毒使用多态性来躲避防病毒程序,因此防病毒程序甚至必须报告部分匹配,并且显然具有给定源代码的编译器会生成与该恶意软件的部分匹配。
Looks like a false-positive. Because modern viruses use polymorphism to hide from anti-virus programs, the anti-virus program has to report even partial matches, and apparently your compiler with the given source code produces a partial match to that malware.
我认为你在某个地方有一个真正的病毒,它可能修改了标准库:D
或者只是防病毒软件检测到可执行文件中的模式。
I think you have a real virus somewhere, that perhaps have modified the standard libraries :D
Or simply the antivirus detects a pattern in the executable.
请参阅 http://www.viruslist.com/en/viruses/encyclopedia?virusid =1857。
我的猜测是,Antivir 会扫描 DOS/Candy 包含的文本字符串,并且由于第二段代码中的字符串与其要查找的代码类似,因此 Antivir 会将已编译的可执行文件检测为病毒。
See http://www.viruslist.com/en/viruses/encyclopedia?virusid=1857 .
My guess is that Antivir scans through text strings that DOS/Candy contains, and since the one in the second piece of code is like the one it's looking for, Antivir detects the compiled executable as a virus.