Kaspersky Anti-Virus software (Kaspersky Antivirus), formerly known as Antiviral Toolkit Pro (AVP), out of habit and simplicity, is called AVP or Kav.
Learning the significance of the detection of AVP is one aspect of AVP's detection method is a theoretical and practical test of the scientific and reasonable method, another DOS friends over the anti-virus has had such experience: "The machine infected with the virus?" OK, please use the clean and non-toxic system disk to start, and then the whole killing. "And I remember cih rampage that would, a friend asked me to help him clean up the virus, said the virus is a well-known domestic AV newspaper, launched the AV killed again, and the AV own monitoring report himself also infected with the CIH, I listened to tell him to use a clean boot disk to start the system overall killing. While this is a solution, the fact is that anti-virus software does not directly allow memory detection and removal of viruses. And this is completely achievable, for memory detection/removal of the resident virus method, as I know the earliest AVP began to use.
First, detection methods:
In the AVP virus library, there are several feature records, one of which is the memory characteristics, this is AVP used to detect the memory-resident virus feature set, AVP on the memory-resident infection virus using a number of separate detection methods.
AVP scans the memory-resident infection virus by scanning methods and address offsets recorded in the virus library, starting with the address offset byte-by-bit match, when matching to a matching byte, that is: Segm:offset + byte Offset = Record:byte, Then AVP begins to compute the signature of the specified length by the library record, if the records in the library are matched, the corresponding virus message is displayed, and the memory repair is performed based on the repair length specified by the library's repair record, and the contents of the repair byte, ensuring that the original virus is inactive after the repair is made.
The following fields are included in this record structure:
Virus name
Search method: Absolute address scan, special module ...
Address Offset: Segment + offset
Match byte
Feature length
Characteristics
Dedicated process: Obj_link
Processing offset addresses
Processing byte length: generally less than 10
Fix bytes
Second, search methods:
There can be seen above, AVP can ensure rapid processing, a key factor is the AVP search method, in fact, AVP built a number of search methods, these methods apply to Msdos, Win9x, WINNT/2000/XP and other systems. AVP can use a variety of memory search methods to deal with a virus, and the difference is which method is more efficient.
1, Absolute Address:
AVP uses the absolute address scanning method to scan some viruses, the scanner reads the corresponding address record from the library record, carries on the matching in the memory, after the match, carries on the repair processing process.
2, Segment scanning:
AVP is incremented from one memory segment to a single byte loop, from the beginning to the end of the segment.
3, all scan:
AVP starts with the memory address 0x00000000h, loops incrementally, and carries out a full memory matching scanning method.
4. Special module:
This is a method for some specific "cunning" viruses. When AVP's own definition of normal scanning and detection methods can not be correctly identified, the use of a dedicated processing module to detect the removal of the virus, the module is completed, compiled into obj format files, stored in the AVP library records.
5, Interrupt tracking:
This is the AVP for DOS scanning method, through the interruption of the system INT21, INT13 to locate the memory of the virus code, through the code around these instructions to modify, so that the virus is inactive.
Iii.. Examples:
Simple examples, such as this virus (a code fragment that infects a COM file on the Web):
CMP AH,3DH
JZ Short @ @Infect_File Intercept 3d dos function
@ @JmpOldInt21:
Cli
Jmpfar DB 0eah
@ @Infect_File:
....
It should look like this after compiling:
13b6:0100 80FC 3D CMP AH,3DH
13b6:0104 JE xx infect_file
13b6:0107 FA CLI
13b6:0108 xx xx xxx
For the detection and removal of this virus, we generate a record, which is recorded in the AVP library record, which can be used to detect and remove the virus's activity:
With such a detection, repair library record, AVP can detect and repair the active virus residing in memory, and then completely erase the virus in the disk file through a separate file virus detection/repair process.
This article is my (AVP Reverse Engineering) AVP Reverse Learning Series section, the methods analysed are slightly different in different versions, and based on the good architecture of AVP, these changes mainly reflect the additions and deletions of the processing method, and the change of structure length.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
