会员申请ID：卢宁东

1、申请ID：卢宁东
2、个人邮箱：467385039@qq.com
3、原创技术文章：恶意代码扫描加壳识别技术



文章正文：
  恶意代码的制作者为了传播    一般都会使用软件加壳     加壳后原特征被隐藏   增加了分析识别的困难
  在真实情况下  利用被加壳样本程序自身的脱壳代码进行脱壳  速度很块   但一定要对加壳程序的脱壳代码进行校验  
  可校验又会导致失去了对变形加壳代码的识别能力
  下面我用UPX1.24 for win 加壳为例   说明处理方式


  先使用  VC 6.0的AppWizard生成Dialog Based应用程序 test
  编译Release版后     得到20,480字节的test.exe      
  其 MZ/PE 头信息如下：
  
  00000000 4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00 MZ..............
  00000010 B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
  00000020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00000030 00 00 00 00 00 00 00 00-00 00 00 00 D8 00 00 00 ................
  00000040 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68 ........!..L.!Th
  00000050 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F is programcanno
  00000060 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20 t be run inDOS
  00000070 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00 mode....$.......
  00000080 FB C6 9A 8E BF A7 F4 DD-BF A7 F4 DD BF A7 F4 DD ................
  00000090 DD B8 E7 DD BB A7 F4 DD-3C BB FA DD BE A7 F4 DD ........<.......
  000000A0 57 B8 FE DD B4 A7 F4 DD-57 B8 F0 DD BA A7 F4 DD W.......W.......
  000000B0 BF A7 F5 DD CC A7 F4 DD-57 B8 FF DD B9 A7 F4 DD ........W.......
  000000C0 07 A1 F2 DD BE A7 F4 DD-52 69 63 68 BF A7 F4 DD ........Rich....
  000000D0 00 00 00 00 00 00 00 00-50 45 00 00 4C 01 04 00 ........PE..L...
  000000E0 6B 49 EA 3F 00 00 00 00-00 00 00 00 E0 00 0F 01 kI.?............
  000000F0 0B 01 06 00 00 10 00 00-00 30 00 00 00 00 00 00 .........0......
  00000100 E0 16 00 00 00 10 00 00-00 20 00 00 00 00 40 00 ......... ....@.
  00000110 00 10 00 00 00 10 00 00-04 00 00 00 00 00 00 00 ................
  00000120 04 00 00 00 00 00 00 00-00 50 00 00 00 10 00 00 .........P......
  00000130 00 00 00 00 02 00 00 00-00 00 10 00 00 10 00 00 ................
  00000140 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
  00000150 00 00 00 00 00 00 00 00-A8 25 00 00 64 00 00 00 .........%..d...
  00000160 00 40 00 00 A0 0A 00 00-00 00 00 00 00 00 00 00 .@..............
  00000170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00000180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  00000190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  000001A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  000001B0 00 20 00 00 DC 01 00 00-00 00 00 00 00 00 00 00 . ..............
  000001C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
  000001D0 2E 74 65 78 74 00 00 00-42 09 00 00 00 10 00 00 .text...B.......
  000001E0 00 10 00 00 00 10 00 00-00 00 00 00 00 00 00 00 ................
  000001F0 00 00 00 00 20 00 00 60-2E 72 64 61 74 61 00 00 .... ..`.rdata..
  00000200 B6 09 00 00 00 20 00 00-00 10 00 00 00 20 00 00 ..... ....... ..
   
  对该程序开始部分进行反汇编   得到反汇编代码   同时可以看到入口点为 16E0  然后使用 UPX1.24 对其加壳
  当跟踪执行到 00406B08 处时，可以在 004016E0 处找到如下代码
  004016E0 >PUSH EBP
  004016E1 MOV EBP,ESP
  004016E3 PUSH -1
  004016E5 PUSH test.004024F8
  004016EA PUSH  ; SE handlerinstallation……
  就是加壳后的test程序人口代码
  加壳器的识别上不能于判断节名   目前有许多加壳器的修补工具可以修   改节名及其它大部分特征   
  比较快速的方法是匹配代码段附近的若干字节     
  就像UPX1.24加壳后固定在代码段偏移 0x10 处有 DWORD 值 0x909010EB  就可以作为该版 UPX 的识别依据
  而比较谨慎的方法是匹配脱壳代码的 MD5 或 CRC32 校验值

Hmily

没看懂表达的什么意思？

爱在何方

http://www.haosou.com/s?ie=utf-8&src=360chrome_toolbar_search&q=%E6%96%87%E4%BB%B6%E7%BA%A7%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%AB%E6%8F%8F%E5%BC%95%E6%93%8E%E4%B8%AD%E7%9A%84%E5%8A%A0%E5%A3%B3%E8%AF%86%E5%88%AB%E6%8A%80%E6%9C%AF67

michener

楼上好赞

斯文骚年

3L真相啊

套哥

哈哈哈。都是复制粘贴的

少年A

楼主是猴子请来的逗比啊