恶意代码代码特征提取-白红宇

恶意代码代码特征提取

阅读量：4313 次

发布时间：2019-06-06

本文共 3112 字，大约阅读时间需要 10 分钟。

文件特征提取

1、利用哈希值作为病毒特征

2、选取病毒内部的特征字符串

3、选取病毒内部的特色代码

4、双重校验和

网络特征

1、具体的下载URL或者访问的URL

2、IP地址

3、网络域名

注册表信息提取

1、启动项

2、写死的某个开关值

内存特征提取

某个特定的页、读写权限、代码块大小

只要理解MEMORY_BASIC_INFORMATION这个架构中的RegionSize作用就知道怎么提取内存特征了

代码如下：

// 遍历内存.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。//#include "pch.h"#include 
    
     #include 
     
      #include 
      
       BOOL ShowProcMemInfo(DWORD dwPID);int _tmain(int argc, char* argv[]){    ShowProcMemInfo(GetCurrentProcessId());    return 0;}// 显示一个进程的内存状态 dwPID为进程IDBOOL ShowProcMemInfo(DWORD dwPID){    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,        FALSE,        dwPID);    if (hProcess == NULL)        return FALSE;    MEMORY_BASIC_INFORMATION mbi;    PBYTE pAddress = NULL;    TCHAR szInfo[200] = _T("BaseAddr Size Type State Protect \n");    _tprintf(szInfo);    while (TRUE)    {        if (VirtualQueryEx(hProcess, pAddress, &mbi, sizeof(mbi)) != sizeof(mbi))        {            break;        }        if ((mbi.AllocationBase != mbi.BaseAddress) && (mbi.State != MEM_FREE))        {            _stprintf(szInfo, _T(" %08X %8dK "),                mbi.BaseAddress,                mbi.RegionSize >> 10);        }        else        {            _stprintf(szInfo, _T("%08X %8dK "),                mbi.BaseAddress,                mbi.RegionSize >> 10);        }        LPCTSTR pStr = _T("");        switch (mbi.Type)        {            case MEM_IMAGE: pStr = _T("MEM_IMAGE "); break;            case MEM_MAPPED: pStr = _T("MEM_MAPPED "); break;            case MEM_PRIVATE: pStr = _T("MEM_PRIVATE"); break;            default: pStr = _T("-----------"); break;        }        _tcscat(szInfo, pStr);        _tcscat(szInfo, _T(" "));        switch (mbi.State)        {            case MEM_COMMIT: pStr = _T("MEM_COMMIT "); break;            case MEM_RESERVE: pStr = _T("MEM_RESERVE"); break;            case MEM_FREE: pStr = _T("MEM_FREE "); break;            default: pStr = _T("-----------"); break;        }        _tcscat(szInfo, pStr);        _tcscat(szInfo, _T(" "));        switch (mbi.AllocationProtect)        {            case PAGE_READONLY: pStr = _T("PAGE_READONLY "); break;            case PAGE_READWRITE: pStr = _T("PAGE_READWRITE "); break;            case PAGE_WRITECOPY: pStr = _T("PAGE_WRITECOPY "); break;            case PAGE_EXECUTE: pStr = _T("PAGE_EXECUTE "); break;            case PAGE_EXECUTE_READ: pStr = _T("PAGE_EXECUTE_READ "); break;            case PAGE_EXECUTE_READWRITE: pStr = _T("PAGE_EXECUTE_READWRITE"); break;            case PAGE_EXECUTE_WRITECOPY: pStr = _T("PAGE_EXECUTE_WRITECOPY"); break;            case PAGE_GUARD: pStr = _T("PAGE_GUARD "); break;            case PAGE_NOACCESS: pStr = _T("PAGE_NOACCESS "); break;            case PAGE_NOCACHE: pStr = _T("PAGE_NOCACHE "); break;        default: pStr = _T("----------------------"); break;        }        _tcscat(szInfo, pStr);        _tcscat(szInfo, _T("\n"));        _tprintf(szInfo);        pAddress = ((PBYTE)mbi.BaseAddress + mbi.RegionSize);    }    CloseHandle(hProcess);    return TRUE;}