病毒特征和遗传算法
我想知道如何实现以下签名。我在网上读到(至少在过去)研究人员将获取“可疑”文件的二进制代码,将其转换为汇编代码,检查它,挑选看起来不寻常的代码部分,并识别机器中相应的字节代码。
那么下面的病毒字符串签名是如何实现的呢?
MIRC.朱莉=6463632073656e6420246e69636b20433a5c57696e646f77735c4a756c696531362c4a50472e636f6d0a0d6e31333d207d0a0d6e31343d200 a0d6e31353d206374637020313a70696e673a2f6463632073656e6420246e69636b20433a5c57696e646f77735c4a756c696531362c4a50
Also, (although this might sound completely crazy) that string above must mean something, i can only guess a sequence of actions, actual code, etc. So if it was once "translated" in this form (virus signature )从汇编中,是否可以将其转换回来?
以防万一您可能想知道为什么要问我认为是一个奇怪的问题。这就是为什么......我正在准备我的理学学士最后一年的计算机科学项目,此时我想知道是否可以使用 GA(遗传算法)来生成/估计/评估/预测病毒签名。我希望这会让我的问题更容易理解。
谢谢!
I would like to know how one achieves the following signature. I have read online that (al least in the past) researchers will take the "suspected" file the binary code, convert it to assembly, examine it, pick sections of code that appear to be unusual, and identifying the corresponding bytes in the machine code.
But then how is the bellow virus string signature achieved?
MIRC.Julie=6463632073656e6420246e69636b20433a5c57696e646f77735c4a756c696531362c4a50472e636f6d0a0d6e31333d207d0a0d6e31343d200a0d6e31353d206374637020313a70696e673a2f6463632073656e6420246e69636b20433a5c57696e646f77735c4a756c696531362c4a50
Also, (although this might sound completely crazy) that string above must mean something, i can only guess a sequence of actions, actual code, etc. So if it was once "translated" in this form (virus signature) from assembly, is it possible to convert it back?
Just in case you might wonder why am asking what even I think is a weird question. This is why... I am preparing my BSc final year computer science project, and at this point I am wondering whether it would be possible to maybe generate/estimate/evaluate/predict virus signatures by using GA's (Genetic Algorithms). Maybe that will help make my question a bit easier to understand, I hope.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您无法将其恢复,因为通常病毒签名是加密的。获取它们的方式是从可执行文件中提取二进制恶意代码,然后将其转换为十六进制表示形式。
希望有帮助
You cannot revert it back because normally virus signatures are encrypted. The way they are obtained is by extracting the binary mallicious code from an executable and then converting it to hexadecimal representation.
Hopefully helps
显示的病毒签名可能取决于生成它的扫描程序。我发现很容易相信所有病毒扫描程序都以不同的方式创建其签名。如果没有来源,就无法解释它是如何开发的,即使有来源,我也怀疑反病毒公司会透露这一点,因为它让病毒开发者有机会避免被发现。
“生成/估计/评估/预测”是四个不同的问题,并不是所有问题都最好用 GA 来解决。在选择算法之前,您需要选择您的问题。
The virus signature shown is probably dependent on the scanner that generated it. I find it extremely easy to believe that all virus scanners create their signatures in different ways. Without a source, there's no way to explain how it was developed, and even with a source I doubt this is something that AV companies will reveal, since it allows virus developers the opportunity to avoid detection.
"Generate/estimate/evaluate/predict" are four different problems and not all of them are best done with a GA. You need to select your problem before selecting an algorithm.