PHP to determine whether the exe file is normal
<?php
Include "exeinfo.php";
$pe = new Pe_viewer (' cmd.exe ');
$pe->out ();
?>
, usually the virus will shell, after the shell of the program its section name is no longer common. Text,. Data,. Rdata, rsrc, etc., but contains UPX, aspack and other characters of the section name;
2, usually the entry point of the program in 100,001, most of the 1000 slightly more places, if the program entry point value is too large, it is doubtful;
3, the analysis of the import table, the usual Virus KERNEL32.DLL import table only LoadLibrary, GetProcAddress and so on a few functions.
Of course, the above judgment is not accurate, some hacking procedures and the need for confidential procedures will be added shell.
This script obtains the basic information of the EXE file and outputs it in XML format, and does not currently contain the introduction table information. You can view the output information to determine whether the exe file is normal.