当前位置:   article > 正文

恶意代码代码特征提取

代码恶意特征提取

文件特征提取

1、利用哈希值作为病毒特征

2、选取病毒内部的特征字符串

3、选取病毒内部的特色代码

4、双重校验和

网络特征

1、具体的下载URL或者访问的URL

2、IP地址

3、网络域名

注册表信息提取

1、启动项

2、写死的某个开关值

内存特征提取

某个特定的页、读写权限、代码块大小

只要理解MEMORY_BASIC_INFORMATION这个架构中的RegionSize作用就知道怎么提取内存特征了

代码如下:

  1. // 遍历内存.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
  2. //
  3. #include "pch.h"
  4. #include <iostream>
  5. #include <windows.h>
  6. #include <TCHAR.H>
  7. BOOL ShowProcMemInfo(DWORD dwPID);
  8. int _tmain(int argc, char* argv[])
  9. {
  10. ShowProcMemInfo(GetCurrentProcessId());
  11. return 0;
  12. }
  13. // 显示一个进程的内存状态 dwPID为进程ID
  14. BOOL ShowProcMemInfo(DWORD dwPID)
  15. {
  16. HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
  17. FALSE,
  18. dwPID);
  19. if (hProcess == NULL)
  20. return FALSE;
  21. MEMORY_BASIC_INFORMATION mbi;
  22. PBYTE pAddress = NULL;
  23. TCHAR szInfo[200] = _T("BaseAddr Size Type State Protect \n");
  24. _tprintf(szInfo);
  25. while (TRUE)
  26. {
  27. if (VirtualQueryEx(hProcess, pAddress, &mbi, sizeof(mbi)) != sizeof(mbi))
  28. {
  29. break;
  30. }
  31. if ((mbi.AllocationBase != mbi.BaseAddress) && (mbi.State != MEM_FREE))
  32. {
  33. _stprintf(szInfo, _T(" %08X %8dK "),
  34. mbi.BaseAddress,
  35. mbi.RegionSize >> 10);
  36. }
  37. else
  38. {
  39. _stprintf(szInfo, _T("%08X %8dK "),
  40. mbi.BaseAddress,
  41. mbi.RegionSize >> 10);
  42. }
  43. LPCTSTR pStr = _T("");
  44. switch (mbi.Type)
  45. {
  46. case MEM_IMAGE: pStr = _T("MEM_IMAGE "); break;
  47. case MEM_MAPPED: pStr = _T("MEM_MAPPED "); break;
  48. case MEM_PRIVATE: pStr = _T("MEM_PRIVATE"); break;
  49. default: pStr = _T("-----------"); break;
  50. }
  51. _tcscat(szInfo, pStr);
  52. _tcscat(szInfo, _T(" "));
  53. switch (mbi.State)
  54. {
  55. case MEM_COMMIT: pStr = _T("MEM_COMMIT "); break;
  56. case MEM_RESERVE: pStr = _T("MEM_RESERVE"); break;
  57. case MEM_FREE: pStr = _T("MEM_FREE "); break;
  58. default: pStr = _T("-----------"); break;
  59. }
  60. _tcscat(szInfo, pStr);
  61. _tcscat(szInfo, _T(" "));
  62. switch (mbi.AllocationProtect)
  63. {
  64. case PAGE_READONLY: pStr = _T("PAGE_READONLY "); break;
  65. case PAGE_READWRITE: pStr = _T("PAGE_READWRITE "); break;
  66. case PAGE_WRITECOPY: pStr = _T("PAGE_WRITECOPY "); break;
  67. case PAGE_EXECUTE: pStr = _T("PAGE_EXECUTE "); break;
  68. case PAGE_EXECUTE_READ: pStr = _T("PAGE_EXECUTE_READ "); break;
  69. case PAGE_EXECUTE_READWRITE: pStr = _T("PAGE_EXECUTE_READWRITE"); break;
  70. case PAGE_EXECUTE_WRITECOPY: pStr = _T("PAGE_EXECUTE_WRITECOPY"); break;
  71. case PAGE_GUARD: pStr = _T("PAGE_GUARD "); break;
  72. case PAGE_NOACCESS: pStr = _T("PAGE_NOACCESS "); break;
  73. case PAGE_NOCACHE: pStr = _T("PAGE_NOCACHE "); break;
  74. default: pStr = _T("----------------------"); break;
  75. }
  76. _tcscat(szInfo, pStr);
  77. _tcscat(szInfo, _T("\n"));
  78. _tprintf(szInfo);
  79. pAddress = ((PBYTE)mbi.BaseAddress + mbi.RegionSize);
  80. }
  81. CloseHandle(hProcess);
  82. return TRUE;
  83. }

参考

聊聊怎样才算是好的病毒特征
https://www.52pojie.cn/thread-611410-1-1.html

转载于:https://www.cnblogs.com/17bdw/p/10181207.html

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/菜鸟追梦旅行/article/detail/725014
推荐阅读
相关标签
  

闽ICP备14008679号