签名扫描
[英]Signature scanning
问题描述
many antivirus programs using signature-based malware detection. 
许多使用基于签名的恶意软件检测的防病毒程序。 Here is creating signatures for ClamAV . 这是为ClamAV创建签名 。 I can understand how they create signatures considering that the whole file is a malware, but I couldn't understand how to find malware when it is in the body of the file - the hash would be another. 我可以理解他们如何创建签名,考虑到整个文件是恶意软件,但我无法理解如何在文件正文中找到恶意软件 - 哈希将是另一个。 Anybody knows? 有人知道吗?
2 个解决方案
解决方案1
7 已采纳 2012-11-02 14:58:10
My answer is not specific to ClamAV; 我的答案不是ClamAV特有的; instead I've answered in a general sense. 相反,我已经回答了一般意义上的问题。 Maybe this is helpful for you. 也许这对你有帮助。
First of all a virus signature is not necessarily a hash value of a file. 首先,病毒签名不一定是文件的哈希值。 A signature is usually a string of bits found in a file, although a hash value could also be used as a signature. 签名通常是文件中找到的一串位,尽管哈希值也可以用作签名。
Suppose, for example, that a virus contains the string of bits 0x23956a58bd910345 . 例如,假设病毒包含位字符串0x23956a58bd910345 。 We can consider this string to be a signature of the virus, and we can search for this signature in the files on a system. 我们可以将此字符串视为病毒的签名,我们可以在系统上的文件中搜索此签名。 However, even if we find the signature, we can't be certain that we've found the virus, since other innocent files could contain the same string of bits. 但是,即使我们找到签名,我们也无法确定我们是否已找到病毒,因为其他无辜文件可能包含相同的位串。
Its interesting to note that if the bits in files were random, the chance of such a false match would be negligible at 1/2^64. 值得注意的是,如果文件中的位是随机的,那么这种错误匹配的可能性在1/2 ^ 64时可以忽略不计。 reference 参考
There many ways to generate signature and/or features for malware detections. 有许多方法可以为恶意软件检测生成签名和/或功能。 Learn more here. 在这里了解更多。
Also, there is other way to detect viruses: 此外,还有其他方法可以检测病毒:
1 Anomaly detection - also known as behaviour analysis - tracks of activities of an executable like: 1 异常检测 - 也称为行为分析 - 可执行文件的活动跟踪,如:
- Modified or created files
- Registry modification
- Which DLLs were loaded before execution
- Accessed virtual memory
- Created processes
- Network connections opened and the packets transmitted
- What storage areas the malware accessed, installed services and kernel drivers as well as other information.
reference
2 Change detection - a file that unexpectedly changes may indicate an infection. 2 更改检测 - 意外更改的文件可能表示感染。
How can we detect changes? 我们如何检测变化? Hash functions are useful in this regard. 在这方面,散列函数很有用。 Suppose we compute hashes of all files on a system and securely store these hash values. 假设我们计算系统上所有文件的哈希值并安全地存储这些哈希值。 Then, at regular intervals, we can recompute the hashes and compare the new values with the previously stored values. 然后,我们可以定期重新计算哈希值,并将新值与先前存储的值进行比较。 If a file has changed in one or more bit positions — as it might in the case of a virus infection — we'll find that the newly computed hash does not match the previously computed hash value. 如果文件在一个或多个位位置发生了变化 - 就像病毒感染的情况一样 - 我们会发现新计算的散列与先前计算的散列值不匹配。
There are many disadvantages to change detection. 改变检测有许多缺点。 Files on a system often change due to normal system functions rather than malicious behaviour. 系统上的文件通常由于正常的系统功能而不是恶意行为而发生变化。 As a result, change detection is likely to yield many false positives, which places a heavy burden on users and administrators. 因此,更改检测可能会产生许多误报,这给用户和管理员带来了沉重的负担。 If a virus is inserted into a file that changes often, it will likely slip through a change detection regimen. 如果将病毒插入经常更改的文件中,则可能会通过更改检测方案。 [reference: Mark-Stam's Book INFORMATION SECURITY] [参考:Mark-Stam的书籍信息安全]
And you thinks correct hash mechanism is weak method to for detection . 并且您认为正确的哈希机制是用于检测的弱方法 。
In my research work, I compared and classified more than 2000 real viruses using 14 antivirus tools and I found that ClamAV is very bad at detecting virus! 在我的研究工作中,我使用14种防病毒工具对2000多种真实病毒进行了比较和分类,我发现ClamAV在检测病毒方面非常糟糕! Here is the link for a paper describing MOMENTUM . 这是描述MOMENTUM的论文的链接。
解决方案2
0 2019-05-06 07:46:37
This project is developed based on the console user interface (CUI). 该项目是基于控制台用户界面(CUI)开发的。 It has own scanning algorithm for finding malicious code in each file during the scan. 它有自己的扫描算法,用于在扫描期间查找每个文件中的恶意代码。 The core idea is to search/match the virus signatures in all scan files or directory. 核心思想是搜索/匹配所有扫描文件或目录中的病毒签名。 Usually, 90% of viruses/worm having own signature (Some repeat text founded in all affected binary files or archive files) and remain 10% Viruses are identified based on execution behavior. 通常,90%的病毒/蠕虫具有自己的签名(在所有受影响的二进制文件或归档文件中创建一些重复文本)并且仍然是10%病毒基于执行行为来识别。
Here I wrote code for signature-based scan algorithm, so I stored Virus signatures in separate databases and it organizes in file flat system format. 在这里,我编写了基于签名的扫描算法的代码,因此我将病毒签名存储在单独的数据库中,并以文件平面系统格式进行组织。 The main feature is without installation it can able to scan the system and it allows to scanning all file type extension including hidden files and hidden directories. 主要功能是无需安装即可扫描系统,并允许扫描所有文件类型扩展名,包括隐藏文件和隐藏目录。
Please find the source code from my tech blog - http://www.algonuts.info/how-to-create-antivirus-using-c-programming.html 请从我的技术博客中找到源代码 - http://www.algonuts.info/how-to-create-antivirus-using-c-programming.html
#include<iostream.h>
#include<conio.h>
#include<string.h>
#include<process.h>
#include<io.h>
#include<alloc.h>
#include<dir.h>
#include<ctype.h>
struct ffblk dblist,list;
FILE *temp_p,*dp,*vp;
char *sign = (char *) malloc(9);
char ch;
unsigned int count,first=0,found=0;
unsigned long int start,udata1,udata2,udata3;
void set_virus_name(char *);
void update_signature(char *,char *,int,int);
void set_data(char *,char *,int);
void main()
{
clrscr();
char *vfile = (char *) malloc(40);
char *dfile = (char *) malloc(40);
cout<<"\nSystem: Enter the infected filename: ";
cin>>vfile;
if(access(vfile,0)!=0)
{
cout<<"\nError : File not exist";
free(sign);
free(vfile);
free(dfile);
getch();
exit(0);
}
strcpy(sign,"LITTLE17");
udata1 = findfirst("*.db",&dblist,0);
while (!udata1)
{
first=1;
temp_p= fopen(dblist.ff_name,"r");
fread(sign,8,1,temp_p);
if(!strcmp(sign,"LITTLE17"));
update_signature(vfile,dblist.ff_name,1,0);
fclose(temp_p);
udata1=findnext(&dblist);
}
if(first==0)
{
cout<<"\nSystem: Enter the database name :";
cin>>dfile;
udata1=strlen(dfile);
if(dfile[udata1-3]=='\.'&& (dfile[udata1-2]=='D'||dfile[udata1-2]=='d') && (dfile[udata1-1]=='B'||dfile[udata1-1]=='b') )
update_signature(vfile,dfile,0,1);
else
{
cout<<"\n\nError : Create .DB extension file type";
free(sign);
free(vfile);
free(dfile);
getch();
exit(0);
}
}
else
{
if(found==0)
{
cout<<"\nSystem: Enter the database name :";
cin>>dfile;
udata1=strlen(dfile);
if(dfile[udata1-3]=='\.'&& (dfile[udata1-2]=='D'||dfile[udata1-2]=='d') && (dfile[udata1-1]=='B'||dfile[udata1-1]=='b') )
{
if(!access(dfile,0))
{
dp = fopen(dfile,"r");
fread(sign,8,1,dp);
fclose(dp);
if(!strcmp(sign,"LITTLE17"))
update_signature(vfile,dfile,1,1);
else
{
cout<<"\n\nError : Database not supported with "<<vfile;
free(sign);
free(vfile);
free(dfile);
exit(0);
}
}
else
update_signature(vfile,dfile,0,1);
}
else
{
cout<<"\n\nError: Create .DB extension file type";
free(sign);
free(vfile);
free(dfile);
exit(0);
}
}
}
free(sign);
free(vfile);
free(dfile);
getch();
}
void update_signature(char *vfile,char *dfile,int check,int add)
{
if(check==1)
{
char *temp = (char *) malloc(strlen(dfile)+1);
strcpy(temp,dfile);
char *turn = (char *) malloc(40+2+400+1);
dp = fopen(dfile,"r");
fread(sign,8,1,dp);
fread(&start,sizeof(start),1,dp);
while(1)
{
udata1=0;
while(1)
{
ch=fgetc(dp);
if(ch!=0 && ch!=32 && ch!='\n' && ch!='\t')
{
if(ch==20)
udata2=udata1;
if(ch!=22)
{
turn[udata1]=ch;
udata1=udata1+1;
continue;
}
else
break;
}
}
turn[udata1]='\0';
udata2=udata2+1;
udata3=udata2;
count=0;
udata1=0;
udata2=udata3;
vp=fopen(vfile,"r");
findfirst(vfile,&list,0);
while(udata1<list.ff_fsize)
{
fseek(vp,udata1,SEEK_SET);
ch=fgetc(vp);
if(ch!=0 && ch!=32 && ch!='\n' && ch!='\t' && ch!= 20 && ch!= 22)
{
if(ch!=turn[udata2])
{
if(count>=2)
udata1=udata1-count;
count=0;
udata2=udata3;
}
else
{
count=count+1;
udata2=udata2+1;
if(turn[udata2]==0)
{
cout<<"\n\n\nError : Unsuccessfully ! ";
cout<<"\n\nError : Virus were Already added on "<<temp;
cout<<" [ ";
udata3--;
for(count=0;count<udata3;count++)
{
if(turn[count]!=32)
cout<<turn[count];
else
cout<<" ";
}
cout<<" ]";
found=1;
break;
}
}
}
fflush(vp);
udata1=udata1+1;
}
fclose(vp);
if(found==1)
break;
ch=fread(&start,sizeof(start),1,dp);
if((ch+1)==1)
break;
}
fclose(dp);
free(temp);
free(turn);
if(found==0&&add==1)
{
set_data(vfile,dfile,check);
}
}
else
{
set_data(vfile,dfile,check);
}
}
void set_data(char *vfile,char *dfile,int check)
{
char *temp = (char *) malloc(40);
cout<<"\n\nSystem: Set the name of virus :";
gets(temp);
cout<<"\nEnter first index :";
cin>>udata1;
start=udata1;
cout<<"\nEnter last index :";
cin>>udata2;
char *vdata = (char *) malloc((udata2-udata1)+2+2+2+1);
vdata[0]=20;
udata3=1;
vp=fopen(vfile,"r");
while(udata1<=udata2)
{
fseek(vp,udata1,SEEK_SET);
ch=getc(vp);
cout<<udata1<<" "<<ch<<"\n";
if(ch!=0 && ch!=32 && ch!='\n' && ch!='\t' && ch!=20 && ch!=22)
{
vdata[udata3]=ch;
udata3=udata3+1;
vdata[udata3]='\0';
}
udata1=udata1+1;
}
fclose(vp);
vdata[udata3+1]='\0';
vdata[udata3]=22;
dp=fopen(dfile,"a+");
if(check==0)
fwrite(sign,8,1,dp);
fwrite(&start,sizeof(start),1,dp);
fwrite(temp,strlen(temp),1,dp);
free(temp);
fwrite(vdata,strlen(vdata),1,dp);
free(vdata);
fclose(dp);
cout<<"\n\nSystem: Successfully Added on "<<dfile;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.