跳至内容
Main Menu
卡巴斯基病毒启发式原理和病毒名报法 by yan
HEUR:Trojian.Win32.Generic
启发阀值1
如果虚拟机启发执行发现改变PE文件最后一个区段的保护属性为可执行或者改变PE文件最后一个区段的RAW大小还有时间戳就给予启发
启发阀值2
如何2个可执行文件操作修改和覆盖一个新的文件并且旧的文件stub是不同的但是新文件镜像是一样的
启发式2
**HEUR:Trojan.Win32.Delself
**
**判断一个文件是否调用 cmd进行命令行注入后自删除
**
开始解析传递给bat的参数 是否是自删除指令
启发式3
**HEUR:Trojan.Win32.Invader
**
**启发进程注入攻击
发现注入第3方进程修改内存可
**
启发式4
**HEUR:Virus. Win32.Infector
**
/************************************************************************/
/* Infector */
/************************************************************************/
void cEventHandlerHeurEmulVirus::OnFileModifyPost(cEvent& event, cFile& file) {
const tcstring fullPath = file.getFull();
bool bInfector = false;
if (!m_pEnvironmentHelper->PathIsNetwork(fullPath) && !m_pEnvironmentHelper->PathIsRemovable(fullPath))
return;
{
cProcess pProcess = event.GetProcess();
if (!pProcess)
return;
if (pProcess->m_ModifiedNonLocalFilesList.contain(fullPath))
return;
if (pProcess->m_CreatedImagesList.contain(fullPath))
return;
pProcess->m_ModifiedNonLocalFilesList.add(fullPath);
bInfector = (pProcess->m_ModifiedNonLocalFilesList.count() >= 3);
}
if (bInfector) {
m_pEventMgr->OnInfector(event, file);
}
}
/************************************************************************/
/* Downloader */
/************************************************************************/
#define DOWNLOAD_HEADER_SIZE 0x400
void cEventHandlerHeurEmulDownloader::OnDownloadFile(cEvent& event, cFile& file)
{
cProcess pProcess = event.GetProcess();
if (pProcess)
{
if (pProcess->m_pLastDownloadedFileHeader
&& pProcess->m_nLastDownloadedFileHeaderSize < DOWNLOAD_HEADER_SIZE)
{
m_pEnvironmentHelper->Free(pProcess->m_pLastDownloadedFileHeader);
pProcess->m_pLastDownloadedFileHeader = NULL;
}
if (!pProcess->m_pLastDownloadedFileHeader)
pProcess->m_pLastDownloadedFileHeader = m_pEnvironmentHelper->Alloc(DOWNLOAD_HEADER_SIZE);
if (pProcess->m_pLastDownloadedFileHeader)
{
uint32_t bytes_read;
pProcess->m_nLastDownloadedFileHeaderSize = DOWNLOAD_HEADER_SIZE;
if (!file.Read(0, pProcess->m_pLastDownloadedFileHeader, DOWNLOAD_HEADER_SIZE, &bytes_read)
|| bytes_read != DOWNLOAD_HEADER_SIZE)
{
m_pEnvironmentHelper->Free(pProcess->m_pLastDownloadedFileHeader);
pProcess->m_pLastDownloadedFileHeader = NULL;
}
}
}
m_downloaded_list.add(event.m_pid, file.getFull());
return;
}
void cEventHandlerHeurEmulDownloader::OnProcessCreatePre(cEvent& event, cFile& image_path, tcstring cmd_line, uint32_t creation_flags)
{
if (m_downloaded_list.contain(image_path.getFull(), NULL))
return m_pEventMgr->OnDownloader(event, NULL);
cProcess pProcess = event.GetProcess();
if (!pProcess)
return;
if (!pProcess->m_pLastDownloadedFileHeader)
return;
if (pProcess->m_nLastDownloadedFileHeaderSize < DOWNLOAD_HEADER_SIZE)
return;
uint32_t bytes_read;
char buff[DOWNLOAD_HEADER_SIZE];
if (!image_path.Read(0, buff, DOWNLOAD_HEADER_SIZE, &bytes_read))
return;
if (bytes_read != DOWNLOAD_HEADER_SIZE)
return;
if (0 == memcmp(pProcess->m_pLastDownloadedFileHeader, buff, DOWNLOAD_HEADER_SIZE))
return m_pEventMgr->OnDownloader(event, NULL);
return;
}
附录 逃逸方法
卡巴斯基模拟能够加载和打开的系统文件 只要寻找一个不在这个卡巴能模拟的列表里面就可以绕过虚拟机的查杀
static const tSystemFile arrSystemFiles[] =
{
{ _T("BOOT.INI"), eRoot },
{ _T("IO.SYS"), eRoot },
{ _T("MSDOS.SYS"), eRoot },
{ _T("NTDETECT.COM"), eRoot },
{ _T("NTLDR"), eRoot },
{ _T("EXPLORER.EXE"), eWindows},
{ _T("ALG.EXE"), eSystem32 },
{ _T("TASKMGR.EXE"), eSystem32 },
{ _T("SVCHOST.EXE"), eSystem32 },
{ _T("SMSS.EXE"), eSystem32 },
{ _T("SPOOLSV.EXE"), eSystem32 },
{ _T("CSRSS.EXE"), eSystem32 },
{ _T("WINLOGON.EXE"), eSystem32 },
{ _T("SERVICES.EXE"), eSystem32 },
{ _T("LSASS.EXE"), eSystem32 },
{ _T("WUAUCLT.EXE"), eSystem32 },
{ _T("DLLHOST.EXE"), eSystem32 },
{ _T("RUNDLL32.EXE"), eSystem32 },
{ _T("IEXPLORE.EXE"), eProgramFilesIE },
{ _T("NTDLL.DLL"), eSystem32 },
{ _T("KERNEL32.DLL"), eSystem32 },
{ _T("USER32.DLL"), eSystem32 },
{ _T("GDI32.DLL"), eSystem32 },
{ _T("ADVAPI32.DLL"), eSystem32 },
{ _T("SHELL32.DLL"), eSystem32 },
{ _T("WS2_32.DLL"), eSystem32 },
{ _T("MSWSOCK.DLL"), eSystem32 },
{ _T("WSOCK32.DLL"), eSystem32 },
{ _T("SHLWAPI.DLL"), eSystem32 },
{ _T("OLE32.DLL"), eSystem32 },
{ _T("OLEAUT32.DLL"), eSystem32 },
{ _T("RASAPI32.DLL"), eSystem32 },
{ _T("URLMON.DLL"), eSystem32 },
{ _T("WININET.DLL"), eSystem32 },
{ _T("MSVCRT.DLL"), eSystem32 },
{ _T("RPCRT4.DLL"), eSystem32 },
{ _T("CRTDLL.DLL"), eSystem32 },
{ _T("DNSAPI.DLL"), eSystem32 },
{ _T("COMCTL32.DLL"), eSystem32 },
{ _T("VERSION.DLL"), eSystem32 },
{ _T("MPR.DLL"), eSystem32 },
{ _T("WINMM.DLL"), eSystem32 },
{ _T("IMAGEHLP.DLL"), eSystem32 },
{ _T("AVICAP32.DLL"), eSystem32 },
{ _T("MSACM32.DLL"), eSystem32 },
{ _T("SHDOCVW.DLL"), eSystem32 },
{ _T("PSAPI.DLL"), eSystem32 },
{ _T("SHFOLDER.DLL"), eSystem32 },
{ _T("PSTOREC.DLL"), eSystem32 },
{ _T("CRYPT32.DLL"), eSystem32 },
{ _T("ICMP.DLL"), eSystem32 },
{ _T("IPHLPAPI.DLL"), eSystem32 },
{ _T("ODBC32.DLL"), eSystem32 },
{ _T("NETAPI32.DLL"), eSystem32 },
{ _T("COMDLG32.DLL"), eSystem32 },
{ _T("WINSPOOL.DRV"), eSystem32 },
{ _T("SNMPAPI.DLL"), eSystem32 },
{ _T("INETMIB1.DLL"), eSystem32 },
{ _T("QMGR.DLL"), eSystem32 },
};
[<- 前一篇文章](http://www.bendasafe.com/2021/01/06/php-7-0-7-3-disable_functions- bypass/)
发表评论 取消回复
您的电子邮箱地址不会被公开。 必填项已用*标注
在此输入...
名字*
电子邮箱*
网站
在此浏览器中保存我的显示名称、邮箱地址和网站地址,以便下次评论时使用。
Search for: 搜索 _ _
Copyright (C) 2021 茶颜森林博客 | Powered by Astra WordPress 主题