Kill-free principle)

My words: This article is good. It is very interesting for me to understand it. After reading this article, you will find how simple it is to avoid viruses. I'm afraid you should trust anti-virus software, just like me.

 

First, let's take a look at the principle of virus detection and removal by anti-virus software. The current anti-virus software mainly involves characteristic code and behavior detection and removal.

Monitoring Method. The previous method is old and divided into file detection and memory detection and removal. After the antivirus software company obtains a virus sample

, Define a virus pattern to the virus database, and then compare it with the scanned file. If it is consistent, it is regarded as a virus, and the memory scan is

Load the memory before comparison. The second one is relatively new. It uses the principle that some specific viruses may have certain behaviors to monitor the disease.

Virus.
Common kill-free tools:
Ollydbg debugger (OD), Dynamic Tracing Tool peid shell checking tool peditor PE File Header editing tool
CCL, Bole, myccl signature locator OC address converter reloc modify EP segment address tool zeroadd add partition Tool

Uedit32 hexadecimal Editor

No Kill Method

I. File kill-free
1. Add flowers
2. Modify the file Signature
3. shelling
4. Modify the file after shelling

Ii. Memory kill-free
Modify a pattern

3. behavior-free killing
Flower
Adding flowers is a common method to eliminate file viruses. The principle of adding flowers is to add flowers (some junk commands, such as adding 1 minus 1 nonsense)

Prevent antivirus software from detecting the signature. Adding flowers can be divided into adding flowers and removing flowers. Generally, the flower adding tool uses the Add area and add flowers. Of course

It can also be manually added, that is, first add a section with zeroadd, then write the flowers command in the new section, and then jump to the original

Entry; remove the header and add flowers, first Nop (empty operation in the assembly) Drop the entry of the program several lines, then find the lower part of the 0000 area, write NOP out

And then jump to the original entry through JMP (unconditional jump in the assembly.
Some anti-virus software will not be recognized after the addition of flowers, but some of the more powerful anti-virus, such as the driver uncle (Kaspersky) may still be able

Locate the signature and modify it. To modify the signature, you must first know where it is. Therefore, you must first locate the feature.

This is a difficult issue, especially the positioning of compound signatures.

Pattern Positioning
There are two main methods for locating signatures: the first direct replacement method and the second binary method;
Direct replacement is the earliest Method for locating signatures. The original code is replaced and saved one by one based on a certain number of bytes, such

The trojan has a total of 100 bytes. You can replace 0-10 bytes with 0 and save them. Then, scan the Trojan using anti-virus software. If the trojan is not killed, the signature is already in use.

It has been overwritten. If it is still scanned, it will be replaced by 10-20 bytes, then saved, scanned ...... Find the signature. Advantages of replacement

It is easy to understand and fast (for file signature). The manual method of the signature locating tool Bole and CCL is to replace

This method is often used for file pattern locating. However, this method is not practical for locating memory signatures.

Yes. After each replacement, the system will load the memory before scanning. If the trojan is large, there will be a lot of files to replace.

Memory takes too much time. In addition, it has a very large limitation, that is, it can only determine that there is only one pattern (

Multiple signatures are also applicable in specific situations, as described in the following 3rd cases). Anti-virus software also has other locating signatures.

For example, some anti-virus products define a and B signatures (three or more of which are the same principle. For the sake of convenience, the following

Take the two locations as an example). As long as one of the sites A and B exists, the virus is reported. Only by increasing the replacement range is not reported until the two locations are replaced at the same time. For example

If the distance between the two locations is relatively long, the defined range will be very rough, and it is obvious that the direct replacement method will not be suitable. In this case, the second method will have

It's useless.

The principle used by the binary number method is half and half positioning, and CCL's automatic method is to use this principle. Split the segments to be detected into two parts,

Replace and generate two files A and B respectively, where A is generated after the half of the original file is replaced by 0, and B is replaced by 0,

Anti-virus starts scanning and killing generated files (if the memory pattern is located, it is loaded into the memory before scanning the memory). There are four situations
(1) A exists and B is deleted: In this case, the signature code in file a has been replaced. Therefore, the replaced part of file a is split into two parts.

The first offset is the offset of A, and then the detection is performed;
(2) A is deleted, and B exists: In this case, the pattern in file B has been replaced. Therefore, the replacement part of file B is split into two parts.

First, the offset of B is detected;
(3) existence of a and existence of B: This indicates there is no way to locate whether there is a signature in A and B. Therefore, A and B are divided into two parts for detection respectively.

Test;
(4) A is deleted and B is deleted: in this case, both sections have signatures. Therefore, A and B are divided into two sections for detection.
When a is re-used, the original B Section is filled with 0, which is equivalent to removing the impact of B Section, only a is taken into account. Similarly, for B, the original B Section will be

Enter 0 in section A, which is equivalent to removing the impact of section A. Only B is considered.

(1) (2) corresponds to only one signature, which is easy to understand;
(3) corresponds to the situation where the signatures of A and B are defined, but unlike the one mentioned above, anti-virus software can avoid misjudgment.

A and B are defined. If AB exists at the same time, the virus is reported. Assume that a and B exist in A and B, and a and B do not exist at the same time.

No alert is reported for both A and B. How can we determine this? For example
Trojan is... A ...... B ..., After the first replacement, :... A... 000000, B: 000000... B ..., AB does not exist at the same time.

, B is not killed, then A and B are split into two ,... A ...... B000 ,... A... 000 ..., 000 ...... B ...,... A000... B...

, Scan again to find the location of the two signatures. If not, continue to score ...... Until all are found; in fact, this type

The direct replacement of multiple signatures can also be located, or even better, by a certain number of digits, and then scan, as long as one is replaced

No virus is reported. If no virus is reported, the pattern is overwritten. No matter how many signs are detected, the pattern can be located.

You only need to modify any one of them.

The corresponding situation in article (4) Is that multiple signatures are defined for antivirus purposes, that is, the situation mentioned above.

It must be a virus. Take A and B as an example. The result after the first replacement is the same as that after (3). The two parts are considered separately and will not affect each other,

It is equivalent to breaking down into two single signatures. After the second replacement, it becomes 000000... B000, 000000... 000 ..., 000...

000000 ,... A000000000, and so on until all signatures are precisely located. If there are n signatures, it is equivalent to dividing them into N

The number of single signatures is usually less than or equal to 3. In this case, all the signatures must be modified to avoid killing.

The binary number method is a good idea. It can solve most of the problems, but it is not impeccable? The answer is no! Hateful

Anti-virus software also features a combination of signatures, which brings us great trouble in locating signatures. Determination of composite signatures

The bit mechanism is to define n signatures first, as long as some of them appear at the same time, it is regarded as a virus. Here is a simple example:

The horse was... A1... B1... C1... A2... B2... C2... (Like A1 and A2, the label is added only for the convenience described later), as long as ABC is at the same time

What should I do if I think it is a virus? The principle is not very difficult, but it is also the method of replacing and then killing, first from the back to the front with 0

Replace: the replacement precision is assumed to increase the number of replicas by 1000 bytes each time, and is always displayed as a virus until it is replaced with the address 13140040 (

For the convenience of describing an address), the number of replace bytes reaches 15000, that is... A1... B1... 00000000, both C are replaced

It is not a virus. We can see that the C1 signature is within 13140040 bytes, reducing the number of replace bytes, for example

Replace 14900 bytes, that is, replace the precision with 100 bytes each time, or replace the non-toxic data with 14800 bytes.

...... Until the location of C1 is precisely located; if it is changed to the previous and later replacement, the location of A2 can be located; the location of other signatures

You can use C1 and A2 that have been located to replace one of them with 0, such as C1. From the back to the front, you can locate C2 until you locate the location.

The principle of having a signature is not complicated, but it is very troublesome to perform manual operations. We can use myccl

The usage principle is similar. For detailed operations, see the operation help of myccl. Another method is more scientific. The principle is the same,

The number of bytes is not equal to the increase, but increased to the power of N-1 of 2. The first replacement of 1 byte, the second replacement of 2 bytes, and the third replacement of 4

Byte ...... The hourly reduction is also based on this rule. This replacement method is somewhat similar to the binary number method, allowing you to quickly locate the location of the signature.

, I think this is where myccl should be improved in the positioning of compound signatures.

Although the compound signature is good, you don't have to worry about it. We think that we will be exhausted when all the antivirus products come with a composite signature, and define a composite feature.

Code requires a virus database with a single pattern several times, which is inconvenient for users to upgrade. Therefore, apart from the most popular viruses, it defines

Not many.

Some experience in locating signatures can tell you that file signatures are usually used for direct replacement. You can use CCL for manual locating.

Memory pattern positioning, generally using the binary method, you can use CCL to automatically locate. If the EXE file is small, you can use either of the following methods:

Can be generated using the direct replacement method (why not use CCL, because bole generates an EXE file ).

Can see the icon appearance), find and can still run normally, those icons have changed the description of the PE Header has been damaged, do not try again

Then load the memory and scan the memory. If it runs normally and is not killed, congratulations! Successful! A general range is located,

Use CCL to automatically locate the task, and you will soon be able to complete it. If the file is large, there are too many files generated with bole, which is not convenient, or CCL

Positioning, for DLL files can only be honest and practical CCL positioning.

Pattern Modification
The modification of the signature may require a little compilation knowledge. The CD provides a common assembly syntax introduction, which mainly involves direct modification and redirection.

Modification method.
The direct modification method uses the replacement of equivalent commands, such
Add eax, 0C is equivalent to sub eax,-0c
Or the change in command order does not affect the execution effect, for example
Add eax, 0C; add 0C to the eax register and then assign it to eax
Add EBX, 05; add 05 to The EBX register and then assign it to The EBX register.
Equivalent
Add EBX, 05; add 05 to The EBX register and then assign it to The EBX register.
Add eax, 0C; add 0C to the eax register and then assign it to eax
In addition, if the signature code is ASCII code, you can directly change the upper case, lower case letters to upper case, and upper case to lower case.
Shelling
Needless to say, everyone will use tools. The principle of shelling is to add a protection program to the original program, with the protection and encryption functions, and to run and add

The files after the shell are protected by running the shell and then running the real files. I would like to remind you that there are more shell users.

, Will still be killed, so you can try to learn e-wen well and find shell tools on a foreign website.

Modify files after shelling
After shelling, there will be a special code at the entrance of the program. You can use od to open files with different shelling tools and shells.

The code at the beginning of the shell is different. It can also be said to be the feature code of the shell. For common anti-virus software, you can take off the shell and try again.

Scan and kill, the so-called shell-based technology. To prevent anti-virus software from recognizing which shells are added, we can add dual shells or modify them by ourselves.

The code at the beginning makes the anti-virus tool unable to see the shell. Here I only talk about one way to modify it. You can refer to add it in the header.

Add a feature header of another shell to the blank area, and then the JMP jumps to the original portal. In this way, the anti-virus tool will misjudge the shelling tool,

In order to achieve the effect of no-kill, the method is actually diverse, as long as you are willing to think about it, you can always come up with a way to deal with it.

Another way to modify the shell is to modify the entry of the EP segment. You can use peid to check the Trojan horse with Shell added. You can find the address of the EP segment.

It is the partition portal. You can modify the EP entry address to achieve the effect of no-kill. The tool used is reloc.

Ask Google.

Behavior-free killing
This anti-virus is represented by the Green e PC universal genie. Generally, after a trojan is run, it will be copied to the system directory and then run. The original file

It may be automatically deleted. The current Trojan is usually inserted into the process to access the network. In the process, you can see the inserted process and set

Boot is also required for Trojans to write to the Registry, add to the service, write to the driver, and so on. These are unique actions of Trojans.

We can use registry monitoring and file modification monitoring tools, such as the trojan helper Finder to record the modified files and registries, and speculate to kill

Which behavior the virus may monitor and modify the behavior accordingly to avoid killing the behavior. There is also a general method, and behavior Anti-Virus is not

To check and kill system startup items, we can replace the Trojan's startup items with non-system-required boot items.

. You can study other methods on your own.

As for the entry spread over the Internet plus 1, peditor is used to add the trojan entry address plus 1. Sometimes it can achieve the effect of No-killing, as if

Rising eats this, and there is another tips to tell you that we 'd better choose to avoid Trojan Horse detection for as long as possible.

Old Trojans are used to update the virus database. Old Trojans often update the virus database when the virus is fixed ...... Needless to say.

Summary:
Generally, the kill-free step is to first define the memory pattern, modify the memory pattern, and add instructions for file kill-free.

The file signature is defined, and the signature is modified. The next step is to eliminate the behavior, add the shell, and then modify the shell. Memory kill-free generally only needs to do research

But other anti-virus software does not actually eliminate memory viruses. For example, Kaspersky's memory scan is a fast file

Scanning: Generally, you can skip Kingsoft, rising, and,

Jiangmin's file scanning and removal should be fixed before modifying the pattern if there are any problems. Kabbah's file scanning and removal are awesome, and almost all of them are added with shells.

It can be found out. Generally, You need to locate the signature and modify it. For Norton, if you like to locate the signature in the PE Header, you only need to use Beidou.

Add a shell to the class tool, and make the PE Header messy, it does not know, if you want to do a good job, you can put your own services and

The registry key value is not required by the system. If you are a perfectionist, you can modify the file after shelling to avoid

Kill to the end!