Kaspersky (AVP) memory resident Virus Detection Method

Source: Internet
Author: User
Tags kaspersky antivirus

Author: killer <killer ② uid0.net>

Kaspersky Antivirus, formerly called AntiViral Toolkit Pro (AVP), is usually called AVP or KAV for its habits and simplicity.

The significance of the AVP detection method is that AVP detection method is a scientific and reasonable method that has passed theoretical verification and practical tests. In addition, friends of the DOS era have such experience in anti-virus: "Is the machine infected with viruses? Okay, please start it with a clean, non-toxic system disk and then scan and kill it all .", I remember when CIH went viral, a friend asked me to help him clean up the virus, saying that the virus was reported by a well-known AV in China. I started the AV and killed it again, in addition, the AV's own monitoring reports also infected CIH. After hearing this, I told him to use a clean boot disk to start the system and scan and kill the entire system. Although this is a solution, in fact, the anti-virus software does not directly detect and clear viruses in the memory. This is exactly what can be done. As far as I know, AVP was used to detect/clear resident viruses in memory.

I. detection method:

In the AVP virus database, there are several feature records, one of which is the memory feature. This is the feature set that AVP is used to detect and kill the memory resident virus, AVP uses some independent detection methods for memory resident infections.

AVP scans the infected viruses resident in the memory by the scan method and address offset recorded in the virus database. The AVP performs byte-by-byte matching starting from the address offset. When it matches byte, that is: Segm: Offset + byte offset = record: Byte. Then, AVP starts to calculate the pattern of the specified length of the database record. If it exactly matches the records in the database, the corresponding virus message is displayed, at the same time, the memory is repaired Based on the repair length specified by the database repair record and the content in the repair byte to ensure that the original virus is no longer active after the repair.

The record structure contains the following fields:

Virus name

Search Method: absolute address scan, dedicated module...

Address offset: Segment + offset

Match byte

Feature length

Features

Dedicated process: Obj_Link

Handle offset addresses

Processing Byte Length: generally less than 10

Fixed byte

Ii. search methods:

We can see from the above that AVP can ensure fast processing. A key factor is AVP's search method. In fact, AVP has many built-in search methods, these methods are applicable to systems such as MSDOS, WIN9X, WINNT/2000/XP. AVP can use a variety of Memory search methods to process a virus. The difference is that the method is more efficient.

1. Absolute address:

AVP uses an absolute address scan method to scan for viruses. The scanner reads the corresponding address records from the database records to the memory for matching. After matching, the scanner performs repair.

2. segment scan:

AVP increases cyclically from a memory segment to a single byte, starting from scanning to the end of the segment.

3. All scans:

AVP starts from the memory address 0x00000000h and continues to scan for full-memory matching.

4. Dedicated modules:

This is a method for some specific "cunning" viruses. When the normal scan and detection methods defined by AVP cannot be correctly identified, a dedicated processing module is used to detect and clear the virus. After this module is compiled, files compiled in obj format are stored in AVP library records.

5. Interrupt tracking:

This is mainly the AVP For DOS scan method. By interrupting the system INT21 and INT13, it locates the virus code residing in the memory and modifies the code near these commands, the virus becomes inactive.

Iii. instances:

For example, this virus (a code snippet found on the internet that is infected with a COM file ):

Cmp ah, 3dh

Jz short @ Infect_File; intercepts the 3d Dos Function

@ JmpOldInt21:

Cli

JmpFar db 0eah

@ Infect_File:

....

It should look like this after compilation:

13B6: 0100 80FC 3D cmp ah, 3Dh

13B6: 0104 74 xx JE Infect_File

13B6: 0107 FA CLI

13B6: 0108 xx XXX

For the detection and removal of this virus, we generate a record, which is recorded in the AVP database record. It can be in this form and completely detect and release the activity of this virus:

Search Method: interrupt tracking

Address offset: 1000: 0000

Matching byte: 80FC

Feature length: 6

Feature: xxxxxxxx

Dedicated processing: NULL

Processing Offset address: 3

Processing Byte Length: 2

Fixed byte: 90

With such a detection and repair database record, AVP can detect and repair active Viruses Residing in the memory, then, the virus in the disk files will be completely cleared through a separate file virus detection/repair process.

This article is my (Avp Reverse Engineering) AVP Reverse learning series. The analysis methods are slightly different in different versions, and the AVP-based good architecture, these changes mainly reflect the addition, deletion, and structure Length changes.

You are welcome to exchange and give advice.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.