文件特征提取
1、利用哈希值作为病毒特征
2、选取病毒内部的特征字符串
3、选取病毒内部的特色代码
4、双重校验和
网络特征
1、具体的下载URL或者访问的URL
2、IP地址
3、网络域名
注册表信息提取
1、启动项
2、写死的某个开关值
内存特征提取
某个特定的页、读写权限、代码块大小
只要理解MEMORY_BASIC_INFORMATION这个架构中的RegionSize作用就知道怎么提取内存特征了
代码如下:
- // 遍历内存.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
- //
-
- #include "pch.h"
- #include <iostream>
- #include <windows.h>
- #include <TCHAR.H>
- BOOL ShowProcMemInfo(DWORD dwPID);
- int _tmain(int argc, char* argv[])
- {
- ShowProcMemInfo(GetCurrentProcessId());
- return 0;
- }
- // 显示一个进程的内存状态 dwPID为进程ID
- BOOL ShowProcMemInfo(DWORD dwPID)
- {
- HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
- FALSE,
- dwPID);
- if (hProcess == NULL)
- return FALSE;
- MEMORY_BASIC_INFORMATION mbi;
- PBYTE pAddress = NULL;
- TCHAR szInfo[200] = _T("BaseAddr Size Type State Protect \n");
- _tprintf(szInfo);
- while (TRUE)
- {
- if (VirtualQueryEx(hProcess, pAddress, &mbi, sizeof(mbi)) != sizeof(mbi))
- {
- break;
- }
- if ((mbi.AllocationBase != mbi.BaseAddress) && (mbi.State != MEM_FREE))
- {
- _stprintf(szInfo, _T(" %08X %8dK "),
- mbi.BaseAddress,
- mbi.RegionSize >> 10);
- }
- else
- {
- _stprintf(szInfo, _T("%08X %8dK "),
- mbi.BaseAddress,
- mbi.RegionSize >> 10);
- }
- LPCTSTR pStr = _T("");
- switch (mbi.Type)
- {
- case MEM_IMAGE: pStr = _T("MEM_IMAGE "); break;
- case MEM_MAPPED: pStr = _T("MEM_MAPPED "); break;
- case MEM_PRIVATE: pStr = _T("MEM_PRIVATE"); break;
- default: pStr = _T("-----------"); break;
- }
- _tcscat(szInfo, pStr);
- _tcscat(szInfo, _T(" "));
- switch (mbi.State)
- {
- case MEM_COMMIT: pStr = _T("MEM_COMMIT "); break;
- case MEM_RESERVE: pStr = _T("MEM_RESERVE"); break;
- case MEM_FREE: pStr = _T("MEM_FREE "); break;
- default: pStr = _T("-----------"); break;
- }
- _tcscat(szInfo, pStr);
- _tcscat(szInfo, _T(" "));
- switch (mbi.AllocationProtect)
- {
- case PAGE_READONLY: pStr = _T("PAGE_READONLY "); break;
- case PAGE_READWRITE: pStr = _T("PAGE_READWRITE "); break;
- case PAGE_WRITECOPY: pStr = _T("PAGE_WRITECOPY "); break;
- case PAGE_EXECUTE: pStr = _T("PAGE_EXECUTE "); break;
- case PAGE_EXECUTE_READ: pStr = _T("PAGE_EXECUTE_READ "); break;
- case PAGE_EXECUTE_READWRITE: pStr = _T("PAGE_EXECUTE_READWRITE"); break;
- case PAGE_EXECUTE_WRITECOPY: pStr = _T("PAGE_EXECUTE_WRITECOPY"); break;
- case PAGE_GUARD: pStr = _T("PAGE_GUARD "); break;
- case PAGE_NOACCESS: pStr = _T("PAGE_NOACCESS "); break;
- case PAGE_NOCACHE: pStr = _T("PAGE_NOCACHE "); break;
- default: pStr = _T("----------------------"); break;
- }
- _tcscat(szInfo, pStr);
- _tcscat(szInfo, _T("\n"));
- _tprintf(szInfo);
- pAddress = ((PBYTE)mbi.BaseAddress + mbi.RegionSize);
- }
- CloseHandle(hProcess);
- return TRUE;
- }
-
参考
聊聊怎样才算是好的病毒特征
https://www.52pojie.cn/thread-611410-1-1.html