Author: killer <killer ② uid0.net>
Kaspersky Antivirus, formerly called AntiViral Toolkit Pro (AVP), is usually called AVP or KAV for its habits and simplicity.
The significance of the AVP detection method is that AVP detection method is a scientific and reasonable method that has passed theoretical verification and practical tests. In addition, friends of the DOS era have such experience in anti-virus: "Is the machine infected with viruses? Okay, please start it with a clean, non-toxic system disk and then scan and kill it all .", I remember when CIH went viral, a friend asked me to help him clean up the virus, saying that the virus was reported by a well-known AV in China. I started the AV and killed it again, in addition, the AV's own monitoring reports also infected CIH. After hearing this, I told him to use a clean boot disk to start the system and scan and kill the entire system. Although this is a solution, in fact, the anti-virus software does not directly detect and clear viruses in the memory. This is exactly what can be done. As far as I know, AVP was used to detect/clear resident viruses in memory.
I. detection method:
In the AVP virus database, there are several feature records, one of which is the memory feature. This is the feature set that AVP is used to detect and kill the memory resident virus, AVP uses some independent detection methods for memory resident infections.
AVP scans the infected viruses resident in the memory by the scan method and address offset recorded in the virus database. The AVP performs byte-by-byte matching starting from the address offset. When it matches byte, that is: Segm: Offset + byte offset = record: Byte. Then, AVP starts to calculate the pattern of the specified length of the database record. If it exactly matches the records in the database, the corresponding virus message is displayed, at the same time, the memory is repaired Based on the repair length specified by the database repair record and the content in the repair byte to ensure that the original virus is no longer active after the repair.
The record structure contains the following fields:
Virus name
Search Method: absolute address scan, dedicated module...
Address offset: Segment + offset
Match byte
Feature length
Features
Dedicated process: Obj_Link
Handle offset addresses
Processing Byte Length: generally less than 10
Fixed byte
Ii. search methods:
We can see from the above that AVP can ensure fast processing. A key factor is AVP's search method. In fact, AVP has many built-in search methods, these methods are applicable to systems such as MSDOS, WIN9X, WINNT/2000/XP. AVP can use a variety of Memory search methods to process a virus. The difference is that the method is more efficient.
1. Absolute address:
AVP uses an absolute address scan method to scan for viruses. The scanner reads the corresponding address records from the database records to the memory for matching. After matching, the scanner performs repair.
2. segment scan:
AVP increases cyclically from a memory segment to a single byte, starting from scanning to the end of the segment.
3. All scans:
AVP starts from the memory address 0x00000000h and continues to scan for full-memory matching.
4. Dedicated modules:
This is a method for some specific "cunning" viruses. When the normal scan and detection methods defined by AVP cannot be correctly identified, a dedicated processing module is used to detect and clear the virus. After this module is compiled, files compiled in obj format are stored in AVP library records.
5. Interrupt tracking:
This is mainly the AVP For DOS scan method. By interrupting the system INT21 and INT13, it locates the virus code residing in the memory and modifies the code near these commands, the virus becomes inactive.
Iii. instances:
For example, this virus (a code snippet found on the internet that is infected with a COM file ):
Cmp ah, 3dh
Jz short @ Infect_File; intercepts the 3d Dos Function
@ JmpOldInt21:
Cli
JmpFar db 0eah
@ Infect_File:
....
It should look like this after compilation:
13B6: 0100 80FC 3D cmp ah, 3Dh
13B6: 0104 74 xx JE Infect_File
13B6: 0107 FA CLI
13B6: 0108 xx XXX
For the detection and removal of this virus, we generate a record, which is recorded in the AVP database record. It can be in this form and completely detect and release the activity of this virus:
Search Method: interrupt tracking
Address offset: 1000: 0000
Matching byte: 80FC
Feature length: 6
Feature: xxxxxxxx
Dedicated processing: NULL
Processing Offset address: 3
Processing Byte Length: 2
Fixed byte: 90
With such a detection and repair database record, AVP can detect and repair active Viruses Residing in the memory, then, the virus in the disk files will be completely cleared through a separate file virus detection/repair process.
This article is my (Avp Reverse Engineering) AVP Reverse learning series. The analysis methods are slightly different in different versions, and the AVP-based good architecture, these changes mainly reflect the addition, deletion, and structure Length changes.
You are welcome to exchange and give advice.