无论如何,您正在进入一个机器指令的世界,其中反汇编器(IDA、PE Explorer ...)和调试器将是您最亲密的朋友。
You'll have to put more intelligence than simply do some pattern matching and remove the isolated virus code.
The viruses you are aiming at are files infectors which are rarely used in our days. Most of the time their replication process is as follow:
They copy themselves at the beginning or at the end of the PE files
Locate the entry point of the PE files
Put a jump instruction to this location pointing at theirs code
Disinfecting a file is the most difficult part for any anti-virus. It relies on the quality of the virus code: if it's buggy, the host file will just be unrecoverable.
In any case, you are entering a world of machine instructions where disassemblers (IDA, PE Explorer ...), and debuggers will be your dearest friends.
Do a difference of the two files, the basic idea would be to compare the original and infected files character by character until and saving discrepancies to some data structure. Then in the future you could look for the "virus" which would hypothetically be a collection of the differences, in other files and remove the "virus".
The only problem with this is that there will probably be discrepancies between the two files which have nothing to do with the "virus", e.g. the infected file was modified in some way different from the original, which has nothing to do with the virus.
EDIT*** Checking other files for the virus would not be too hard, but I am running under the assumption that you are dealing with some plain text form of file, for binary propitiatory files, I do not think you would be able to remove the "virus".
发布评论
评论(2)
您必须投入更多的智能,而不仅仅是进行一些模式匹配并删除隔离的病毒代码。
您针对的病毒是文件感染者,在当今时代很少使用。
大多数时候,它们的复制过程如下:
文件进行杀毒是任何防病毒软件中最困难的部分。它依赖于病毒代码的质量:如果有错误,主机文件将无法恢复。
无论如何,您正在进入一个机器指令的世界,其中反汇编器(IDA、PE Explorer ...)和调试器将是您最亲密的朋友。
You'll have to put more intelligence than simply do some pattern matching and remove the isolated virus code.
The viruses you are aiming at are files infectors which are rarely used in our days.
Most of the time their replication process is as follow:
Disinfecting a file is the most difficult part for any anti-virus. It relies on the quality of the virus code: if it's buggy, the host file will just be unrecoverable.
In any case, you are entering a world of machine instructions where disassemblers (IDA, PE Explorer ...), and debuggers will be your dearest friends.
对两个文件进行差异,基本思想是逐个字符地比较原始文件和受感染文件,直到并将差异保存到某些数据结构中。然后,将来您可以在其他文件中查找“病毒”(假设它是差异的集合)并删除“病毒”。
唯一的问题是,两个与“病毒”无关的文件之间可能会存在差异,例如,受感染的文件以与原始文件不同的方式进行了修改,而与病毒无关。
编辑***
检查其他文件是否存在病毒不会太难,但我运行的假设是您正在处理某种纯文本形式的文件,对于二进制修复文件,我认为您无法删除“病毒” 。
Do a difference of the two files, the basic idea would be to compare the original and infected files character by character until and saving discrepancies to some data structure. Then in the future you could look for the "virus" which would hypothetically be a collection of the differences, in other files and remove the "virus".
The only problem with this is that there will probably be discrepancies between the two files which have nothing to do with the "virus", e.g. the infected file was modified in some way different from the original, which has nothing to do with the virus.
EDIT***
Checking other files for the virus would not be too hard, but I am running under the assumption that you are dealing with some plain text form of file, for binary propitiatory files, I do not think you would be able to remove the "virus".