Principle and classification of no-kill
There is no doubt that the "kill-free" technology is one of the hottest technologies at present. "Kill-free" is a hacker technology with high availability and wide application scope. Kill-free is often the preparation of script intrusion technology, virus attack technology, and other hacker technologies. For example, when a hacker discovers and exploits a website's Script Vulnerability, the attacker obtains the server's management permission after obtaining the privilege.
To facilitate and consolidate control, Hackers often need to pass backdoors to the website servers of the other party (which may be script backdoors or PE backdoors) or rootkit, however, the other server has powerful anti-virus software. After these backdoors are uploaded to the other server by hackers, the anti-virus software on the server identifies and finds out the backdoor or rootkit uploaded by hackers, this prevents hackers from using tools. This greatly affects the exploitation of vulnerabilities by hackers. However, if a hacker uploads a tool that has been processed by the kill-free technique, the hacker can consolidate the control using a simple and effective tool. Obviously, this is only a very one-sided example. In the real hacking process, kill-free technology is almost everywhere. Therefore, learning kill-free technology is very important for an information security technology enthusiast.
Definition of kill-free technology
As we can see from the above, kill-free means to prevent files that have been originally captured and scanned by anti-virus software or other computer security tools, this technology is a kill-free technology. This process is called "Kill-free ", it is also known as virus-free (because files scanned by antivirus software or other computer security tools are generally known as viruses ).
Anti-Virus Software killing Principle
1. Pattern Method
When antivirus software uses a pattern scan to identify a file as a virus, the file must meet two conditions:
(1) A location in the file corresponds to a location in the antivirus software virus database.
(2) The Code stored in this location is the same as the code defined in this location in the virus database.
Features of the Pattern Method:
A. Slow speed.
B. The false alarm rate is low.
C. The polymorphism virus cannot be checked.
D. cannot deal with concealed viruses.
2. checksum Method
You can use the checksum method to query viruses in three ways:
(1) Add the checksum Method to the virus detection tool to calculate the checksum for the normal state of the object file to be queried, and write the checksum value to the file to be queried or to the detection tool, then compare.
(2) In the application, add the checksum method self-check function to write the checksum of the normal state of the file into the file. Whenever the application starts, compare the current checksum with the original checksum. Implement application self-detection.
(3) Check the resident memory of the program. When the application starts running, the system automatically checks the pre-saved checksum in the application or other files.
Features of the checksum method:
Advantages: The method is simple and can detect unknown viruses and minor changes in the file to be queried. Disadvantages: Release the normal checksum of the traffic record, false alarm, unrecognized virus name, and no matching virus.
3. Behavior Monitoring Method
The unique behavior characteristics of viruses are used to monitor viruses.
Behavior Characteristics of virus monitoring:
A. occupies INT 13 H
B. Change the DOS system to the total memory size of the Data zone.
C. Write the COM and exe files
D. switching between virus programs and host programs
Features of Behavior Monitoring:
Strengths of the Behavior Monitoring Method: it can detect unknown viruses and accurately predict the majority of unknown viruses. Short points of the Behavior Monitoring Method: it may be difficult to trigger an alarm by mistake, identify the virus name, and implement it.
4. Software Simulation Method
The common software simulation method is to use multiple methods of detection and removal in virtual machines.
Features of Software Simulation:
Strengths of the software simulation method: the strongest ability to identify viruses (because of a variety of detection methods ).
Software Simulation Method: scanning is slow and virus detection is often inaccurate.
Conclusion:
Currently, anti-virus software mainly relies on pattern recognition technology to detect viruses. That is to say, the pattern is the special code extracted from the virus itself by anti-virus software to determine the virus. Our kill-free code specifically targets these patterns. That is to say, the anti-virus software can achieve the purpose of eliminating the virus by failing to find these signatures. However, the function of the file itself cannot be damaged, that is to say, the files without killing should be exactly the same as the original files in terms of functions. Only in this way can it be regarded as an effective kill-free solution.
Kill-free technology classification:
1. Internal and external kill-free
Department kill-free, also known as PE kill-free. Anti-Virus internally means starting from the source code of the virus, modifying the source code of the virus to realize the hidden variant of the virus. External kill-free means to complicate the virus code by encrypting the compiled and connected virus files, so as to interfere with anti-virus software's determination and eliminate the virus.
An essential prerequisite for the internal kill-free mechanism is that the kill-free producer must have the source code of the virus, which is very demanding. External kill-free requires some disassembly basics and PE Structure Knowledge.
The internal and external kill-free instances belong to the same technical level.
2. No signatures, no kill, and large-scale no-kill
The anti-virus technology used by the advanced anti-virus engine is still centered around the pattern. Therefore, modifying the virus pattern will be the mainstay of the anti-virus technology for a foreseeable long time. A wide range of kill-free methods are often referred to as "no-signature-free kill". It refers to the use of methods such as adding flowers and shells to complicate virus code to process viruses, the virus that has been processed is likely to eliminate multiple anti-virus software at the same time. A large scope refers not to modifying the signature directly, but to complicate the Code through other methods, which indirectly affects the identification of virus signatures by anti-virus software.
3. File-free, memory-free, and behavior-free
File kill-free refers to the virus that is stored on the computer's hard disk and scanned by a antivirus software, the antivirus software does not identify the file that was originally killed by itself as a virus. This method loads a specific PE segment in the virus file on the hard disk into the memory for virus identification. It is called a dynamic file scan for viruses, which is not equivalent to the memory scan of antivirus software.
In-memory virus detection and removal means that when a virus is loaded into the computer's memory, anti-virus software detects the virus running in the memory and kills the virus in the memory. Memory kill-free means that after the virus is loaded into the memory in the preceding example, the system cannot identify the virus from the memory through the memory scan function of anti-virus software.
The concept of "behavior-free killing" is a relatively new concept after file-free killing and memory-free killing. Virus programs have many commonalities, such as releasing Dynamic Linked Library files in system files and adding startup items or services. Anti-virus software can capture this characteristic of the virus, monitor programs running on the computer, and control the behaviors that may be harmful to the computer system. This monitoring method of anti-virus software is behavior monitoring, the work that breaks through this monitoring method is called Virus-free behavior.
4. Blind and free technology
The blind-free technology is also referred to as "Blind-free". It can be said that the blind-free technology has not been disclosed for a long time in the circle.
Blind sampling does not mean that no anti-virus software is used to locate the signature, and no anti-virus software is required to test the effect of No-killing. The final no-killing sample is directly produced. In this seemingly speculative result, there are actually a lot of technical details and experience in it. The blind-free solution is not a nonsense. Like the signature-free solution, the blind-free solution is also highly targeted.
Skilled blind and free-of-charge producers, who are familiar with all kinds of anti-virus engines. These are obtained through the general anti-virus process. With this premise, only when anti-virus software is used can the anti-virus software determine the weakness of the anti-virus software on the feature code.
For different anti-virus engines, the methods for modifying the signature are also different. Therefore, before studying the Anti-Virus engine, you must master basic knowledge such as PE Structure and disassembly. -- Excerpted from "no secret to death"
Reprinted Please note: @ qafat anti-virus software free anti-virus time:
Caifan, China's top choice for computer security software exchange and learning;