Virusanti_didiwei Instructions for use

Objective

A time ago said to write a special killing framework, after the change to strong-to-clear, in order to demonstrate the momentum of the sample Avira, now the first version has been completed, as shown in the use of the time is strongly recommended that the console use magnification mode, so you can see I spent half a day to draw the logo, you can https:// Get on the Github.com/goabout2/virusanti_didiwei.

Overview of General Features

The framework is now basically divided into four parts

The first part is a database, which holds the information of my analysis sample, is mainly a management purpose, the implementation is relatively simple, is through sqlite3 implementation of a lightweight database.

The second part is Virusshare, this is a project on GitHub, I transplant it, it supports the virusshare on the public sample of the Md5,hash database query to determine whether a file is a malicious sample, this module needs to pass--update before use The all command downloads MD5, and hash files. You can then implement the query through the-search command. As shown

Determine whether a malicious sample is by hash.

These two parts are mainly for some follow-up function to do foreshadowing (), these data in the future will be useful, follow-up will also be some open-source features data to join, the work will be completed in the second edition.

The third part is the tools module, which contains some of my daily script analysis will be used by the Python function, currently does not provide parameters to the console parameter call, because the function is more, call through parameters will be very complicated, later will continue to write, a piece of more can be organized into a separate function module.

Part IV is the upload module, the module through the provision of the Ip.txt configuration file, can be bulk upload kill the core files to achieve the target of the machine's special kill, and record the results, due to the generality of the reasons used here is the SSH protocol upload.

Ip.txt file needs to be in the format of IP port username password

Kill the nuclear

Under the folder Windidiwei.exe and Lindidiwei respectively for Windows and Linux sample killing Core, actually kill the kernel is a code, through the Pyinstaller implementation of cross-platform, to ensure that no Python environment under the machine to kill the kernel can still run, currently supports win Dows, and Linux two versions, Mac is also supported, but the kill kernel is not implemented, Linux basically covers most versions, of course, the premise is x86 architecture, in addition to the various strange CPU architecture is not considered.

Kill the core in order to achieve universality, in fact, by reading the configuration file to achieve a sample killing, corresponding to a sample, will be killed by the means of writing a corresponding configuration file, kill the kernel automatically according to the configuration file to Avira.

The configuration file is described as follows:

Common options

[Linxu/windows]

Label the running environment for the sample.

[option]

This option marks the action required to kill the kernel and supports Scan/kill.

Scan is used for scanning the target machine for samples, and when you select Scan, you need to provide an option for FileScan and the feature sign option for that sample.

FileScan is the directory to be scanned, separated by semicolons;

Sigin is the characteristic code of the sample, which needs to be extracted in reverse.

Kill is used to kill the samples in the target machine, there is a large difference in the configuration of the samples in Windows and Linux, the running logic of the killing core is the sequential execution of the configuration file, so the logic in Avira is different by exchanging the relationship between the options in the configuration file, as in the following configuration. Kill the kernel first parse processes operation, and then parse Filedel operation,

processes = notepad.exe

Filedel = D:\test\sample

Through the configuration file order adjustment, can achieve a lot of difficult avira work.

Options supported by Kill in Linux

Sign, used to fill in the Avira sample.

filepath, used to fill out all the samples that may exist in the directory, with semicolons; the kill kernel will find the sample files in all these directories according to the directory provided, and the corresponding process (if any).

The command is used to fill in some additional commands that may be used for this avira, with semicolons, to increase the flexibility of avira, but rarely.

Filedel, used to fill out all the general requirements for this avira to delete files, with semicolons;

Initddscan, used to fill out the init boot file that needs to be scanned for this avira, since some samples are not deleted after the first run, the directory at User activation is random, so it is not possible to obtain this randomly generated directory by means of binary analysis. But often this directory of the sample has a corresponding startup item (if not, in fact, whether to delete the remaining sample is not too much of a problem), the option is to traverse the startup file to find such a possible missing sample, this option also supports fuzzy search, some special samples generated by the startup file contains some characteristics , as long as the name of the lookup object followed by the feature **d, such as the generated sample startup file with the Secdbg field, written secdbg**d can be.

Options supported by Kill in Windows

FilePath, same as Linux.

Fommand, same as Linux.

Filedel, with Linux, note the semicolon;

Sign, same as Linux.

Register is used to fill out the registry key to be removed in this case, with a semicolon; partition, some samples of the registry key name is the default, that is, there is no name, you need to replace the key name with Moren.

To remove the default keys under Hkey_current_user\software\microsoft\mspaint, such as the following registry

Can write like this

Register = Hkey_current_user\software\microsoft\mspaint\moren

Processes used to fill in the killing process for the name, with a semicolon; partition, Linux does not have this option, because the kill kernel intelligence process recognition, but the implementation of this block in Windows is more troublesome, consider the second version of the implementation, Fortunately, the samples in Windows are usually fixed names, and most of them are parasitic in the special process of the system in the form of injection, not a large number of random processes at a time like Linux.

Devicelink is used to fill out the file descriptor for the driver files that need to be uninstalled in this avira, some samples are protected by the driver, but often the driver itself is not protected, and by this configuration item and the next IoControlCode, the protection driver for the sample can be unloaded.

The IoControlCode is used to fill out the Unload function in the driver that needs to be uninstalled in this avira. by Devicelink and iocontrolcode you can offload some of the weaker drive protections, such as the Phantom of the Securities. Of course, the two parameters here must be reversed, in the corresponding driver does not export the driver unloading function, the method is useless.

At present, the first version can be based on the configuration file to complete the daily sample of the killing, of course, not including some greasy rootkit, plainly, there is a drive level of protection can not be handled.

Instance

Linux platform under the

XOR family

Scan

Kill

Gates Family

Scanning

Killing

Under Window platform.

Sea Lotus

Scan and Avira

The Phantom of the securities can also be killed in theory, but there is no good operating environment, so it is not released.

The results of the scan are placed in the generated file All_resutl.txe, and Target_result.txt, where All_resutl.exe is the scan information for all hosts, target_ Result.txt is filtered after the infection of the broiler, large-scale scan upload may fall off the chain, mainly not so much for testing the environment, so ...

Some of the current problems.

1. There may be a variety of small problems, please contact me in time, thank you very much.
2. The support for remote uploads in Windows is not very friendly, so the entire upload module is now in accordance with SSH to write, Windows is also the default in the other machine has ssh to upload, the code has been written, but because I really can not find a good ssh windows machine to do the test , so you know ...
3. First version of the various small problems to solve.
4. Since it is a multi-platform, is it possible to consider it on the Mac? This later will be considered, but because the analysis of the sample on the Mac is not enough, so there are not many very good kill ideas, of course, if someone to provide me with some samples, I can quickly add to the Mac OS parts.
5. Pyinstaller can solve all the problems on Windows, but many of the wonderful models on Linux may not work, considering that later Linux's kill kernel will be rewritten with C.
6. The existing two-platform kill core is confined to the application layer, the ability needs to be improved, we need to enter the kernel.
7. And many more amazing features.

Planning for the Future:

1. First version of the various small problems to solve.
2. Since it is a multi-platform, is it possible to consider it on the Mac? This later will be considered, but because the analysis of the sample on the Mac is not enough, so there are not many very good kill ideas, of course, if someone to provide me with some samples, I can quickly add to the Mac OS parts.
3. Pyinstaller can solve all the problems on Windows, but many of the wonderful models on Linux may not work, considering that later Linux's kill kernel will be rewritten with C.
4. The existing two-platform kill core is confined to the application layer, the ability needs to be improved, we need to enter the kernel.
5. And many more amazing features.

Virusanti_didiwei Instructions for use