Discuss about "illegal modules" and "third-party detection" (3)-Example ~

(2) (1) I talked about many things at the principle level and many people did not understand them. So I would like to add an example.

Here is an example of a signature:
The example is the most common super module that is easy to use.
Basically, this is because the author adds such a piece of nonsense in it.
Processing Method: Clear a large text segment from 0 ~
Extension:
Processing of other strings: All strings are stored in other harmonious encoding methods and do not appear in plain text.

Next, we will give an example about the module name and file HASH:
Examples of the modules loaded by non-independently compiled DLL in easy language
Processing Method: independently compile and shelling to modify the file name
Extension:
Add the module to shell, or dynamically modify the size of the last section of the file to write random junk data, or modify the OEP code before each load (that is, change the OEP to the added section or expand the last section, then pile up the junkcode, and then return the jmp code ).

Next we will give a pdb path for module features.
Example: The latest Pchunter32 is detected





Solution: Help linxer to erase the pdb path ~~
Extension:
Prohibit access to files of key processes in a reasonable way (...).

Last example
Example: verification code processing module
The format of the SendFileEx parameter exported by a verification code module...
Therefore, the detected features are derived from those detected.
Processing Method: Modify the export name or use a non-name symbol to export the form ~~
Extension: In addition to export, the import and resource tables can also be features...

This article is complete.