What Is a Pattern File?
The attribute code is used to determine which computer field a piece of data belongs to. A total of 40 characters.
- It is impossible to obtain a feature code by simply taking out a piece of code, but segmenting it, which can contain arbitrary content (that is, adding some "mask bytes" that do not participate in the comparison.
- With the rapid development of network technology and information technology, the network has become an important way for people to obtain information. current
- Viruses in the pure sense have gradually been replaced by Trojans and worms. The operating system upgrade has facilitated the large-scale destruction of backdoor viruses, and has evolved from self-starting to registration system services, from single processes to daemons and remote thread injection, and even uses driver technology to hide backdoor programs and let users manually find Increasingly difficult. In this situation, various new technologies and anti-virus software have been continuously developed, and there is no battle with the smoke. [2]
Introduction to signatures
- The so-called signature code is a hexadecimal code extracted by the antivirus software from a virus sample that does not exceed 64 bytes and can represent the characteristics of the virus. There are three types: single signature, multiple signature, and composite signature. The idea of feature code extraction is: first obtain the length of a virus program, and the file can be divided into several parts based on the sample length (the segmentation method largely avoids the use of a single feature code to falsely report the occurrence of the virus. (To avoid false alarms caused by too concentrated feature codes), each feature string of 16B or 32B is selected, if the information is general information or all zero bytes are discarded, and the offset is randomly adjusted and finally selected again. Finally, the selected segments and their offsets are stored in the virus database, and the names of the viruses can be marked. According to this idea, a feature code extraction program can be written to realize automatic extraction and save virus records. When scanning for viruses, the anti-virus software compares the target file with a signature in the virus database through a pattern matching algorithm to determine whether it is infected.
Detection and processing of signatures
- (1) Positioning of feature codes
- A single signature scan is to extract consecutive bytes from the virus sample that can identify the virus. The advantage is that the overhead is small, and it is easy to upgrade and maintain the virus database. However, this technique is prone to misinspection and killing, and has been used less frequently. For multiple signatures, it is possible to further extract discontinuous segments of signatures based on a single signature scan. Only when the file to be detected fully meets these multiple segments of code can it report its suffering. This can reduce the rate of accidental killing and improve the accuracy of killing, so it has become the technology of choice for most antivirus software. Use "byte-by-byte replacement" to manually locate multiple signatures. Replace the target Trojan server or virus byte-by-byte with OOh or fh (others are also available), save each file as a file, and then disinfect the generated files. What has not been deleted is the one whose signature is modified. file. The modified bytes are summarized to obtain the "signature code" defined by Anti-Virus for the Trojan or virus. However, the manual operation and the occupied space are too large, which can be improved by the segmentation method, that is, the range of the feature code is gradually reduced. In the experiment, a certain anti-virus software was selected to locate the hacking tools. First use 128 B as the replacement unit. The offset and range of the feature code can be found from the file after checking and killing. Then the code is restored. Then the range is replaced and checked with 32 B as the unit. Finally, byte-by-byte replacement is used to locate Consecutive signature byte. This requires only a few megabytes of space at a time and is fast. From coarse to fine positioning. At this point, the multi-feature code is located successfully. You only need to select a piece of feature code to locate it. After modification, you can escape the killing.
- (2) Modification of feature code
- Modifying the located feature code can escape the killing. For executable files, you need to modify the feature code according to the assembly code, first disassemble, debug the program using a debugger (such as ollydbg), and find the assembly instructions according to the virtual address converted from the file offset address of the feature code. The modification methods mainly include: modifying the case of the string, equivalent replacement method, instruction sequence swap method, and general jump method. Many viruses use automatic deformation technology to avoid signature detection, so-called multi-dynamic viruses, which do not have a fixed signature stream in appearance. The polymorphism of the virus causes the encryption of its code segment to completely change the original feature code. Therefore, the decryption code is added in the zero area to decrypt, and then the JMP instruction is used to jump back to the original instruction code for execution. The code can be restored after this time, so you can manually encrypt the code, and the next time the virus executes, you can decrypt the code and execute it. As a result, the feature code is completely changed to avoid killing.
Feature Code Strategy Improvement and Technology Prospect
- The feature code technology has incomparable advantages such as low false alarm rate, high accuracy, and high reliability. Its technical mechanism and execution process are also very mature. In order to compensate for the passiveness of the signature technology, it is recommended to supplement the following new anti-virus technologies:
- (1) Input table correlation feature code
- The virus needs to call the API function that exists in the input table when the virus is running. If the signature is locked in the "sensitive" area of the executable file-the input table, because the position of the input table is fixed, the general jump method cannot be used to modify the signature , This can effectively protect the feature code.
- (2) Pseudo feature code
- Anti-virus software can detect a certain segment of its own signature code. If it is found to be filled with O, then it will activate the previously set pseudo-utility random signature code and report it. Even if these signature codes can be found, it will not affect the killing.
- (3) Broad spectrum feature string filtering technology
- In response to changing and unknown viruses, heuristics have emerged. Heuristic scanning is to determine whether a file is infected with an unknown virus by analyzing the order in which instructions appear, or the standard characteristics of common viruses such as specific combinations. Because the virus has to achieve the purpose of infection and destruction, it usually has certain characteristics, such as reading and writing files abnormally, terminating itself, copying itself to the system directory, modifying a registry key, calling a specific AIP function, etc. . Therefore, you can determine whether a program is a virus based on scanning a specific behavior or a combination of multiple behaviors. This heuristic scanning is much more advanced than the static signature scanning, and can reach a certain unknown virus processing capacity, but there will still be inaccuracy. Especially because it is impossible to determine that it must be a virus, and it is impossible to do unknown virus disinfection. [3]