Kaspersky (AVP) memory residential virus detection method
Author: killer
Kaspersky Antivirus, previously called Antiviral Toolkit Pro (AVP) for habits and simple, here is called AVP or KAV.
On the meaning of learning AVP, the meaning of AVP is that the detection method of AVP is a reasonable method of theoretical verification and practice, and friends who have come over the DOS old have experienced such experiences for anti-viruses: "Machine infects virus? Good, Please start with a clean and non-toxic system disk, and then check. ", I remember Cih rampant, a friend made me help him to remove the virus, saying that the virus is a well-known AV report in China, starting the AV kills Yes, and the AV's own monitoring newspaper also infected CIH, I listened to him to use a clean launching disk launch system to kill. Although this is a way, but in fact why anti-virus software does not directly do memory detection and clear the virus. And this is completely, for memory detection / clearance of residential viruses, I have known the earliest AVP to use.
First, the detection method:
In the AVP virus database, there are several feature records, one of which is a memory feature, which is the characteristic set of AVP to detect the intrinsic contained virus, and AVP has stored infectious viruses in memory. Some individual Detection method.
AVP scans the infectious virus resides in memory by scanning methods and address offsets recorded in the virus database, starting from the address offset, and when matches the matching byte, ie: segm: offset BYTE OFFSET = Record: Byte, then the AVP starts calculating the signature of the library record specified length. If you just match the record in the library, the corresponding viral message will be displayed, and the repair length specified by the repair record of the library, and Repair the content in the byte, make memory repair, ensure that the prototype virus is lost.
The fields containing this record structure are mainly:
Virus name
Search method: absolute address scan, special module ...
Address offset: segment offset
Match byte
Feature length
feature
Dedicated processing: OBJ_LINK
Processing offset address
Processing byte length: generally less than 10
Repair byte
Second, search method:
It can be seen that the AVP can guarantee fast processing, a key factor is AVP search method, in fact, AVP has a large number of search methods, which apply to MSDOS, Win9x, WinNT / 2000 / XP and other systems. Avp's processing of a virus can use a variety of memory search methods, which is different. It is more efficient.
1, absolute address:
AVP uses a scanning method of absolute address to scan some viruses, and the scanner reads the corresponding address record from the library record, matching the memory, and matches the repair process.
2, segment scan:
Avp increments from a memory segment, single-byte cycle, from start scanning to segment end.
3, all scans:
Avp starts from memory address 0x00000000h, cycle increment, and multi-memory matching method.
4, special module:
This is a method for some specific "sly" viruses. When the normal scan and detection method defined by AVP cannot identify correctly, a dedicated processing module is used to detect clearing the virus. After writing, the module is completed, compiled into an OBJ format, stored in the AVP library record.
5, interrupt tracking:
This is mainly the scanning method of the AVP for DOS, and the viral code to which the memory near the system is positioned by the interrupt INT21, INT13 of the system, and the virus is changed by modifying the code near these instructions, making the virus lose activity. Third, instance:
Simple example, such as this virus (a code snippet of a COM file on the Internet):
CMP AH, 3DH
JZ short @@ infect_file; interception 3D number DOS function
@@ JmpoldINT21:
CLI
JMPfar DB 0eah
@@ infect_file:
....
It should be this after compilation:
13B6: 0100 80FC 3D CMP AH, 3DH
13b6: 0104 74 xx je infect_file
13B6: 0107 FA CLI
13b6: 0108 xx xx xxx
For this virus detection and clearance, we generate a record, this virus record is in the AVP library Record, which can be in this form, it can detect and relieve the activity of the virus:
Search method: Interrupt track
Address offset: 1000: 0000
Match byte: 80FC
Feature length: 6
Features: xxxxxxxx
Special treatment process: null
Processing offset address: 3
Processing byte length: 2
Repair byte: 90 90
Through such a detection, repair library record, AVP can detect and repair the active virus resident in memory, and then fully clear the virus in the disk file through a separate file virus detection / repair.
This article is the AVP Reverse Engineering AVP Reverse Learning Series, and the method analyzed is slightly different in different versions, while the AVP-based good architecture, these changes are mainly reflected in the processing method of processing and deletion, and structural length.
Welcome to exchange, pointing. (Source: Security Focus Author: killer)