To deal with the most popular bundle

I don't know how to do this recently. N bundle machines emerged overnight. I am waiting for cainiao to suffer. Today, all kinds of bundle
Make a simple summary of the principles and detection methods to help you identify programs with viruses.

1. Traditional bundle. This principle is very simple and the most widely used one. Add B .exeto
End. In this example, when a.txt is executed, B .exe is also executed. The code for this bundle is all over the Internet. My most
I learned from a stream article in jingtao. For now, there is no technical content.

Detection Method: anyone with a little PE knowledge should know it. A complete and valid PE/EXE file, which contains
It has several fixed features [no matter whether it is shelled or not]. First, the file starts with MZ, followed by the PE Header after the DOS header to PE
. With these two features, detection becomes very simple. You only need to use the UltraEdit tool to open the target file for search.
Keyword MZ or PE. If you find two or more. The file must have been bundled. But it is worth noting
Some generators also use this principle to append the Trojan horse to the end of the generator, and the user selects to read the trojan during generation.
. In addition, many popular "Bundled file detection tools" on the Internet read files and then retrieve the keyword MZ or PE.
Speaking of this, I believe you have a general understanding. The so-called "bundled file detection tool" is totally unreliable.
.

 

Ii. Resource bundle. This principle is also very simple. Most detectors cannot be detected, but they are assisted by the gray pigeon Trojan.
Find the EXE files that can be detected without shelling. But most people are shelled, so it is also very unreliable.
Anyone who has learned programming or PE structure should know. A resource is a special section in EXE. Can be used to include
Everything that EXE needs/does not need. By using this principle, the 100% kill-free bundle has been made animated.
You can download it. How does the bundle take advantage of this? This only requires BeginUpdateResource.
The three API functions UpdateResource and EndUpdateResource can be done. These three API functions are used
Resource update/replacement. The author only needs to write the header file header.exe. the header file contains only one section.
Code for releasing a resource. When the bundle is used, first release the header file, and then use the three API functions described above
The bundled file is bound when it is updated to this header file. Similar principles are widely used in Trojan generators.

Detection Method: This is generally difficult to detect. If you are not in trouble, you can first shell the target file. Then
Sub-Trojan assists in searching and analyzing resources by reading the resources. However, this method is not universal after all.
Therefore, we recommend that qualified users use virtual machines.

 

Iii. compiler bundling. I don't know what name to use for the moment, so I can only use this instead. This method is quite overcast.
Risks. Is to convert the bundled file into a hexadecimal format and save it to an array. Like this

Muma: array [0 .. 9128] of Byte = ($ 4D, $ 5A, $50... $00 );

Then, you can use the API functions CreateFile and WriteFile to restore the file to the hard disk. I have learned a little about programming here.
Yes. The arrays in the Code are implemented by compilers and connectors. No video connection. What other files are there, right? Institute
In this way, there is no way to scan and kill. This method can be used by the Programming auxiliary tool jingtao
DcuAnyWhere or Anskya AnyWhereFileToPas.

 

4. the most poisonous one. This is because there are few people currently using it, and it is too harmful and difficult to scan and kill. [A virus killed directly
Bundle to avoid kill, Khan ~] So we will not announce it. This method is widely used for detection and removal. If it is popular, it is estimated that animation is connected to everyone.
I am afraid to watch it. HOHO ~

 

Supplement: some third-party tools can be used to monitor the hard disk and registry before running those that you are not sure if they are bundled.
Program. In this way, once the hard disk changes, a file is created, or a file change is recorded. Check
It is easy to find.

.: END ::.