Cainiao's most popular bundling Techniques

I. Traditional bundle

This principle is very simple and the most widely used one. Add B .exeto the end of a.exe. In this example, when a.txt is executed, B .exe is also executed. The code for this bundle is all over the Internet. I first learned from a stream article in jingtao. For now, there is no technical content.

Detection Method: anyone with a little PE knowledge should know it. A complete and effective PE/EXE file contains several absolutely fixed features [no matter whether it is shelled or not]. First, the file starts with MZ, followed by the PE Header after the DOS header starts with PE. With these two features, detection becomes very simple. You only need to use the UltraEdit tool to open the search keyword MZ or PE for the target file. If you find two or more. The file must have been bundled. However, it is worth noting that some generators also use this principle to append Trojans to the end of the generator and read them when the user chooses to generate them. In addition, many popular "Bundled file detection tools" on the Internet read files and then retrieve the keyword MZ or PE. Speaking of this, I believe you have a general understanding. The so-called "bundled file detection tool" is totally unreliable.

Ii. Resource bundle

This principle is also very simple. Most detectors cannot be detected, but the gray pigeon Trojan can be used to search for EXE files that are not shelled after bundling. But most people are shelled, so it is also very unreliable. Anyone who has learned programming or PE structure should know. A resource is a special section in EXE. It can be used to include everything that EXE needs/does not need. By using this principle, the 100% kill-free bundle has been made animated. You can download it. How does the bundle take advantage of this? You only need to use the BeginUpdateResource, UpdateResource, and EndUpdateResource API functions. These three API functions are used for resource update/replacement. The author only needs to write a header file header.exe. the header file contains only a piece of code to release resources. When the bundle is used, first release the header file, and then use the three API functions mentioned above to update the file to be bundled to this header file. Similar principles are widely used in Trojan generators.

Detection Method: This is generally difficult to detect. If you are not in trouble, you can first shell the target file. Then, we use tools such as "gray pigeon Trojan assisted search" or "ResTorator" to read and analyze the resources. However, this method is not universal after all. Therefore, we recommend that qualified users use virtual machines.

Iii. compiler bundling

I don't know what name to use for the moment, so I can only use this instead. This method is rather sinister. Is to convert the bundled file into a hexadecimal format and save it to an array. Muma: array [0 .. 9128] of Byte = ($ 4D, $ 5A, $50... $00 );

Then, you can use the API functions CreateFile and WriteFile to restore the file to the hard disk. Anyone who has learned programming knows this. The arrays in the Code are implemented by compilers and connectors. No video connection. What other files are there, right? Therefore, there is no way to scan and kill this method. This method can be implemented by using the programming Aid Tool DcuAnyWhere of jingtao or AnyWhereFileToPas of Anskya.

4. the most poisonous one

This is because there are few people currently using it, and it is too harmful and difficult to scan and kill. [A virus can be bound directly to avoid killing, Khan ~] So we will not announce it. This method is widely used for detection and removal. If it is popular, it is estimated that everyone will not dare to read it. HOHO ~

Supplement: some third-party tools can be used to monitor the hard disk and registry before running programs that you are not sure whether they are bound. In this way, once the hard disk changes, a file is created, or a file change is recorded. It is more convenient to search.