Anti-virus and kill-free technical details of the third: Signature code-free combat

1. Preface

In the previous article, "anti-virus and kill-free technical details of the second: Feature code positioning-Tools and principles," the author mainly introduces the use of MYCCL This feature code positioning tool, and its principle of a step-by-step analysis and interpretation, and finally told the meaning and role of learning this tool. Today, in this actual combat, we will apply the knowledge learned in the market with a number of signature antivirus engine as an example, the actual combat to avoid killing. At the same time also very welcome friends to guide, learn from each other, progress!

2. Actual combat environment

Lab Host: Vmware 11 virtual machines
Operating system: XP SP3
Experimental equipment: MYCCL 2.1, C32ASM, a virus sample (Encode.exe), Baidu Antivirus, 360 anti-virus fresh version
(Tips: It is not recommended to experiment on a physical machine, it is very risky to run a malicious program)

The author has prepared the virus samples to carry on the experiment, at the end of the article will share together with the video. Of course, we can also take their own program to combat, the operation of the method is similar!
Once the tool is ready, we will first disconnect the network from the virtual machine . The author here is Nat Internet, directly disable the local connection.

This step is to disable 360 of the cloud Avira function, we want to kill the engine is local, not to be mixed together to avoid killing.
The second step, we open 360 antivirus main interface:

In this case, the real-time protection is turned off so that a sample of our experiment will be killed automatically, and then click Set:

In this case, the last two √ is removed to prevent the automatic uploading of analysis files during the kill-free process, resulting in engine changes.
In the final step, set the engine to only turn on the system repair engine:

3. Start the actual combat

Kill the virus with a soft killing sample to see:

Sure, no problem. Now everything is ready, let's start to avoid killing the actual combat it! First open the MYCCL, according to the method mentioned above, "file" Selected virus samples, "directory" select the block file storage directory, set the number of blocks (I this is 20), set up as follows:

Click on < Generate, pop-up double marquee select ' Yes ', generate finished. Then open the chunked file directory:

Determine the block file generation OK, and then use the configured 360 antivirus, all the sub-block files to Avira:

Manually delete the file that is being poisoned, and then point it out, and do not deal with it immediately. Because only delete, MYCCL can locate the signature.
Next you can click on the "Two processing" button, two times after the processing, and then check:

Non-toxic words will not continue to avira, if toxic, there are repeated "avira Delete---two times processing," The removal of ... "cycle. Now click on the feature range to see:

Here the format is: the previous paragraph is the hexadecimal file offset, the latter section is the decimal signature length. The signature we positioned for the first time has 4041 bytes! Such a large range, must not be directly modified to avoid killing, so we have to carry out "compound positioning"!
In this line of the feature interval, the right-click Compound locates the feature here. Then it was almost the same as in the beginning, but the scope narrowed down:

Let's repeat the steps just now: "Generate, Avira Delete----two-time processing----two processing ..." to get a smaller range of signatures. Typically four times within the repeat operation, you can get a 2-byte range of signatures, we can make signature changes.

After a repeat of the positioning, we finally get the signature interval, by clicking "two times" again, you can generate a mapping:

Feature Code Physical Address/physical length as follows:[features] 0004a982_00000002feature code distribution:[--------------------------------------------------][--------------------------------------------------][--------------------------------------------------][--------------------------------------------------][--------------------------------M-----------------]

At this point, we can look at what the signature looks like. I use the c32asm this tool, in Baidu a check on the security. With this tool, we can easily view and modify the contents of the file, it has the function of "static disassembly", so it is convenient to modify the signature.
I will write an article, specifically to discuss the changes in signature, so will not be modified or worry, now the focus of learning is positioning!
We open the c32asm and drag the virus sample (not the chunked file) into it:

We click on "hex mode", this mode is more flexible, so I recommend to use. Once open, see a bunch of hex code, don't panic, let us first jump to the location of the signature! Right-click and jump to:

To fill in the location of the signature you just identified, click "OK":

See this paragraph, familiar with the virus characteristics of friends should be able to see that this is a part of the virus, these functions are the virus will use the function. Interested friends can study on their own, at the end of the article will be packaged together with the video, we first go back to the point.
Gaze on the signature, "E9 7A" is positioned as a signature, in fact, familiar friends should already know how to change, because "E9" is the typical jmp jump machine code, here I still take everyone familiar with the next. We right-click on the compilation mode editor to see its corresponding assembly code:

It is clear to see that this code means to jump to a location. Here I first say a method-equivalent substitution method, as the name implies, with the same function of the code to replace it. In jmp, you can change to call by experience, that is, change "E9" to "E8". Here we right-click the assembly:

To change JMP to call, click "Assemble" and then complete:

We click "File", "save", then quit, and then use 360 antivirus scan to see:

We have succeeded in not killing! Now 360 local engines have no way of detecting the poison. What do you think? It's not too difficult! We can use the same principle to complete the BD engine, small red umbrella engine Avira, which is left to everyone as an exercise.
The next article will talk about signature modification skills, interested friends remember to pay attention to Oh!
If a friend does not understand, or the operation of the problem, it's okay, this article attached to the operation of the video, the operation can be done with the author. If still not, welcome to reply this article, can also contact the author, communicate with each other .

4. Appendix

Actual operation video and tools:
Http://pan.baidu.com/s/1o6os8mI
Recommended under the big gray Wolf remote control, can be used as a no-kill further exercises,:
HTTP://YUNPAN.CN/CDNZPXWZWH7GK Access Password 5fa3

By the way, recommended books, recommended bibliography:

1. "Hackers do not kill attack and defense"
2. Introduction to hackers ' free from murder
3. "Proficient in hackers to avoid killing"
4. The Secret of death: Disassembly reveals hackers ' technology for killing mutants

Among them, the author mainly recommended the first "hacker-free attack and defense", written well, and relatively new compared to several other, a lot of new technologies have been talked about.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Anti-virus and kill-free technical details of the third: Signature code-free combat