恶意代码代码特征提取

作者：菜鸟追梦旅行 | 2024-06-16 03:49:05

踩

代码恶意特征提取

文件特征提取

1、利用哈希值作为病毒特征

2、选取病毒内部的特征字符串

3、选取病毒内部的特色代码

4、双重校验和

网络特征

1、具体的下载URL或者访问的URL

2、IP地址

3、网络域名

注册表信息提取

1、启动项

2、写死的某个开关值

内存特征提取

某个特定的页、读写权限、代码块大小

只要理解MEMORY_BASIC_INFORMATION这个架构中的RegionSize作用就知道怎么提取内存特征了

代码如下：


// 遍历内存.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
 
#include "pch.h"
#include <iostream>
#include <windows.h>
#include <TCHAR.H>
BOOL ShowProcMemInfo(DWORD dwPID);
int _tmain(int argc, char* argv[])
{
    ShowProcMemInfo(GetCurrentProcessId());
    return 0;
}
// 显示一个进程的内存状态 dwPID为进程ID
BOOL ShowProcMemInfo(DWORD dwPID)
{
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
        FALSE,
        dwPID);
    if (hProcess == NULL)
        return FALSE;
    MEMORY_BASIC_INFORMATION mbi;
    PBYTE pAddress = NULL;
    TCHAR szInfo[200] = _T("BaseAddr Size Type State Protect \n");
    _tprintf(szInfo);
    while (TRUE)
    {
        if (VirtualQueryEx(hProcess, pAddress, &mbi, sizeof(mbi)) != sizeof(mbi))
        {
            break;
        }
        if ((mbi.AllocationBase != mbi.BaseAddress) && (mbi.State != MEM_FREE))
        {
            _stprintf(szInfo, _T(" %08X %8dK "),
                mbi.BaseAddress,
                mbi.RegionSize >> 10);
        }
        else
        {
            _stprintf(szInfo, _T("%08X %8dK "),
                mbi.BaseAddress,
                mbi.RegionSize >> 10);
        }
        LPCTSTR pStr = _T("");
        switch (mbi.Type)
        {
            case MEM_IMAGE: pStr = _T("MEM_IMAGE "); break;
            case MEM_MAPPED: pStr = _T("MEM_MAPPED "); break;
            case MEM_PRIVATE: pStr = _T("MEM_PRIVATE"); break;
            default: pStr = _T("-----------"); break;
        }
        _tcscat(szInfo, pStr);
        _tcscat(szInfo, _T(" "));
        switch (mbi.State)
        {
            case MEM_COMMIT: pStr = _T("MEM_COMMIT "); break;
            case MEM_RESERVE: pStr = _T("MEM_RESERVE"); break;
            case MEM_FREE: pStr = _T("MEM_FREE "); break;
            default: pStr = _T("-----------"); break;
        }
        _tcscat(szInfo, pStr);
        _tcscat(szInfo, _T(" "));
        switch (mbi.AllocationProtect)
        {
            case PAGE_READONLY: pStr = _T("PAGE_READONLY "); break;
            case PAGE_READWRITE: pStr = _T("PAGE_READWRITE "); break;
            case PAGE_WRITECOPY: pStr = _T("PAGE_WRITECOPY "); break;
            case PAGE_EXECUTE: pStr = _T("PAGE_EXECUTE "); break;
            case PAGE_EXECUTE_READ: pStr = _T("PAGE_EXECUTE_READ "); break;
            case PAGE_EXECUTE_READWRITE: pStr = _T("PAGE_EXECUTE_READWRITE"); break;
            case PAGE_EXECUTE_WRITECOPY: pStr = _T("PAGE_EXECUTE_WRITECOPY"); break;
            case PAGE_GUARD: pStr = _T("PAGE_GUARD "); break;
            case PAGE_NOACCESS: pStr = _T("PAGE_NOACCESS "); break;
            case PAGE_NOCACHE: pStr = _T("PAGE_NOCACHE "); break;
        default: pStr = _T("----------------------"); break;
        }
        _tcscat(szInfo, pStr);
        _tcscat(szInfo, _T("\n"));
        _tprintf(szInfo);
        pAddress = ((PBYTE)mbi.BaseAddress + mbi.RegionSize);
    }
    CloseHandle(hProcess);
    return TRUE;
}

参考

聊聊怎样才算是好的病毒特征
https://www.52pojie.cn/thread-611410-1-1.html

转载于:https://www.cnblogs.com/17bdw/p/10181207.html

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/菜鸟追梦旅行/article/detail/725014