Virtual machine design of anti-virus engine design
Author: NJUE dispatch time: 2004.01.14
Editorial Press: Introduction "The Introduction of Anti - virus Engine Design" We introduced the development of viral technology and the characteristics of some viruses and infection mechanisms. Below we focus on virtual machine torment.
table of Contents
2.1 Introduction to virtual machines
2.2 encrypted deformation virus
2.3 Virtual machine implementation technology detailed
2.4 Analysis of virtual machine code
2.4.1 Analysis of the simulation function of the non-dependent flag register
2.4.2 Analysis of Dependent Flag Register Instruction Simulation Function
2.5 anti-virtual machine technology
2. Virtual machine
2.1 Introduction to virtual machines
In recent years, virtual machines, in the anti-virus industry, also known as universal decryption, has become the most striking part in anti-virus software, although anti-virus is far from its application, but it has not reached a perfect level, but The virtual machine has brought bright prospects with market sales of anti-virus products such as "viral instruction code simulator" and "stryker". The following discussion will bring us into a wonderful virtual technology world.
The first thing to talk about is the concept of virtual machines and it is with a virtual machine such as VMware (US VMware, which supports other operating systems such as Linux in WinNT / 2000) and VDM under Win9x (DOS virtual It is used to run 16 real mode code in the 32-bit protection mode environment. In fact, these virtual machines design ideas are somatic findings. As early as the 1960s IBM, a set of operating systems named VM / 370 were developed. The VM / 370 provides a pre-standard multitasking between different programs, and the process is a multi-virtual machine in a single actual hardware.
Typical VM / 370 session, the user sits before the remote terminal of the cable, the initializer load operation of the simulation of the real machine via a control program, so a complete operating system is loaded into the virtual machine, and Started to create a session for the user. This simulation system is so complete, and the system programmer can even run its virtual copy to unlocate the new version. VMware is very similar to this, which can create a virtual machine as an application under the original operating system, and create a virtual machine for the target operating system, the target operating system is like running on a single real machine, whit Not under the control of VMware. When the power button is pressed in VMware, the machine's self-test screen appears, followed by the load of the operating system, everything is true.
Win9x uses VMS to make multiple programs shared CPU and other hardware resources (all Win32 applications are running on a system virtual machine; each 16-bit DOS program has a DOS virtual machine). The VM is a thing that is completely fictitious by software, and responds to the needs of the application in the same way as the real computer. From a point of view, you can treat a standard PC structure as an API. The elements of this API include hardware I / O systems, and Bios and MS-DOS based on interrupts. Win9x often proxy these traditional API elements with its own software so that it is possible to reproduce the precious hardware. The application running on the VM thinks yourself exclusively, they believe they get input from the real keyboard and the mouse and output from the real screen. Slightly add a little restriction, they can even think that you have a CPU and all memory. The key to realizing virtual technology is that software virtualization and hardware virtualization, the following briefly introduces the implementation of DOS virtual machines under Win9x.
When Windows moves to the protection mode, the protection mode program cannot directly call the MS-DOS processing routine of the real mode, and cannot directly call the BIOS of the real mode. Software virtualization is used to describe how the Windows part can interact with each other with real-mode MS-DOS and BIOS. Software virtualization requires the operating system to intercept the call to the protection mode and the real mode boundary, and adjust the appropriate parameter register to change the CPU mode. Win9X uses virtual device driver (VXD) to intercept the interrupt from the protection mode, and convert it into a real mode interrupt call by real mode interrupt vector table (IVT). As part of the conversion, VXD must use the parameters in the protected mode extension memory, generate an appropriate parameter and place it in the active mode (V86) operating system can access. After the service is over, VXD is assigned to the protected mode call end in the extended memory. A large number of 21h and 13h interrupt calls in the 16-bit DOS program are resolved here, but there are still many direct port I / O operations, which requires the introduction of hardware virtualization to solve. The appearance of the virtual hardware is to generate an interrupt request on the hardware interrupt request line, in order to respond to the IN and OUT instructions, change the special memory mapping position. Hardware virtualization depends on several features of Intel 80386 . One is the I / O license mask, allowing the operating system possible to trapping all IN / OUT instructions to any port (trap). Another feature is that the hardware assisted paging mechanism allows the operating system to provide virtual memory and intercept the access to the memory address, which will be a good example of this very well. The last necessary feature is the virtual 8086 (V86) mode of the CPU, so that the DOS program is executed in the real mode.
We discussed the virtual machine for torching is not like some people who want to create a virtual execution environment like VMware, providing all elements that it may be used, including hard drives, ports, etc. Let it play freely, and finally determine whether it is a virus according to its behavior. Of course, this is a good idea, but considering that its design is too difficult (too much to simulate too much elements and behavioral analysis to be artificial intelligence theory), it can only be used as the direction of future development. The virtual machine I have designed is strictly called virtual machine, and it is called virtual CPU, universal decryptor, etc., but because of anti-virus jurisprint, I will also be in the discussion, I will also Continue this name.
Virtual machines are a software simulation CPU that can be referred to, decoding, executing like a true CPU, which can simulate a result of a piece of code to run on the true CPU. A set of machine code sequences is given, and the virtual machine will automatically remove the first instruction opcode section, determine the operating code type, and addressing mode to determine the length of the instruction, and then execute the instruction in the corresponding function, and according to the execution The result is determined where the following instructions are determined, and the loop repeatedly until a particular situation occurs at ending, this is the basic working principle and simple process of the virtual machine. The purpose of designing virtual machine is to deal with encrypted deformation viruses. The virtual machine first determines from the file and read the virus entry, then explain the decryption segment (Decryptor) of the viral header in the above working step, and finally executing The results of the virus were found in the result of the results (clear virus in the decryption). The so-called "virtual" here is not a virtual environment created, but it is not actually implemented by the dye file, but the virtual machine simulates the effect of its true execution. This is the basic principle of virtual machine, please refer to the relevant chapters later.
Of course, the virtual implementation technology is far more than the automatic shell (virtual machine speciation is actually the decryption of the decryption of the automatic tracking of the virus into the encrypted viral body), which can also be applied in cross-platform advanced language interpretation A malicious code analysis, debugger. For example, Liu Tao's domestic debugger TRDOS is fully utilized to interpret each instruction to perform the debugged program. This debugger compares traditional breakpoint debuggers (Debug, Softice, etc.) have many advantages, if it is not easy to be Not periphered by the debugger, there is no limit to the number of breakpoints. 2.2 encrypted deformation virus
The purpose of the design of the virtual machine to be tested is to deal with the encrypted deformation virus. This chapter focuses on encryption deformation technology.
Early viruses did not use any complex anti-testing techniques. If the disassembly tool opens the viral code, it will be true machine code. It is thus possible to uniquely determine a virus in a certain machine code in the virus. Simply determine the viral entrance and scan a specific code string at the specified offset. This static scanning technology deals with ordinary viruses is unloraity.
With the development of viral technology, a class of encrypted viruses appeared. This type of virus is: the inlet has a decryptor, and the virus main code is added. When the runtime is first obtained, the decryption code of the control will circulate the virus body. After the completion, the control is given to the viral body operation, and the viral body is infected, the decent is dispensed, and the viral main body with the random key is encrypted, and saved The infected document is written together in the virus or the key in the decomposition of the deceleration. Since the virus main body of different infectious examples of the same virus is encrypted with a different key, it is impossible to find a unique range of code strings and offsets to represent the characteristics of this virus, and seemingly static scanning techniques to fail. But think about it, the decryption of different infections still keeps the unchanged machine code clear (from the theory, there is no encrypted machine code, otherwise the program cannot be executed), so the feature code is selected from this. It will take a certain false positive risk (the code in the decrypted subword lacks the viral characteristics, the same signature can also appear in the normal program), but it is still a valid method.
Since the encrypted virus has not been able to completely escape the static signature scan, the virus writing is improved on the basis of an encrypted virus, so that the codes of the decociation have diverted different infections, which has an encrypted deformed virus. It is very similar to the encrypted virus. The only improvement is that the virus main body constructs a different file that will constructs a function of the same function but code different, that is, the decryption of different infectious instances has the same decryption function but the code is very different. For example, the original instruction can be completely removed to complete, and the middle may be inserted into useless spam. In this way, the static scanning technique is completely invalid because the constant signature cannot be found. Below, two examples will be given to the encrypted viral decryption sub-construction, and then discuss how to detect encrypted deformation viruses with virtual implementation techniques.
Deformation decryption of famous Polymorphic MARBURG:
00401020: MovsX EDI, Si; Virus entrance
00401023: Movsx EDX, BP
00401026: JMP 00408A99
......
00407400:; viral entrance
Encrypted virus main body
00408a94:; decryption pointer initial value
......
00408A99: MOV DL, F7
00408a9b: Movsx EDX, BX
00408A9E: MOV ECX, CF4B9B4F
00408AA3: CALL 00408AC4
......
00408ac4: POP EBX
00408ac5: JMP 00408ADE
......
00408ade: MOV CX, DI
00408ae1: add ebx, 9fdbd22d
00408ae7: JMP 00408B08 ......
00408B08: Add ECX, 80C1FBC1
00408B0E: MOV EBP, 7FCDeff3; cyclic solution
00408b13: SUB CL, 39
00408B16: MovsX ESI, SI
00408B19: Add DWORD PTR [EBX 60242DBF], 9EF42073; Decryption statement, 9EF42073 is a key
00408B23: MOV EDX, 6FD1D4CF
00408B28: MOV DI, DX
00408B2B: Inc EBP
00408B2C: XOR DL, A3
00408B2F: MOV CX, Si
00408B32: SUB EBX, 00000004; Move decryption offset pointer, reverse decryption
00408B38: MOV ECX, 86425DF9
00408B3D: CMP EBP, 7FCDF599; Judgment decryption ending or not
00408B43: JNZ 00408B16
00408B49: JMP 00408B62
......
00408B62: MOV DI, BP
00408B65: JMP 00407400; hand control to the decrypted viral body entrance
Deformation decryption of famous Polymorphic HPS:
005365b8:; decryption pointer initial value and viral entrance
Encrypted virus main body
......
005379 CD: CALL 005379E2
......
005379E2: POP EBX
005379E3: SUB EBX, 0000141A; Setting the decision pointer initial value
005379E9: RET
......
005379f0: dec Edx; reduce cycle ratio
005379f1: RET
......
00537A00: XOR DWORD PTR [EBX], 10E7ED59; Decryption statement, 10E7ED59 is a key
00537A06: RET
......
00537A1A: SUB EBX, FFFFFFFFF
00537A20: SUB EBX, FFFFFFD; mobile decryption pointer, forward decryption
00537A26: RET
......
00537A30: MOV EDX, 74D9CB97; set the initial value of cyclic
00537A35: RET
......
00537A3F: Call 005379CD; Virus entrance
00537A44: Call 00537A30
00537A49: Call 00537A00
00537A4E: CALL 00537A1A
00537A53: Call 005379f0
00537A58: MOV ESI, EDX
00537A5A: CMP ESI, 74D9C696; Judgment decryption ending or not
00537A60: JNZ 00537A49
00537A66: JMP 005365B8; Give control to the decrypted viral entrance
The above code looks definitely not to be compiled with the compiler, or the programmer is hand-written, because of which a large number of chaos and garbage are filled. There is no comment portion in the code to be considered garbage code, and the function of useful partially completed is only a two-word plus or different fixed value that is looped to the encrypted virion. This is only one of the deformed viral infections, the decryption sub-and viral body of other instances will not be used, and it is extremely deformable to make people unable to recognize. As for the realization of deformation viruses, it is not discussed within our discussion due to complex algorithms and controls.
This detection of this encrypted deformation virus is obviously no longer possible. For this reason, the method we take is dynamic signature scanning technology. The so-called "dynamic signature scan" refers to the first decryption of the virus first under the mating of the virtual machine, followed by the display of the virus. We know that the virus in the decryption is stable, as long as the decrypted virion can be scanned using the signature. To obtain a virus, it must first explain the virus's decrypted subsection of the virus. When tracking and determining its loop decryption, the entire virus is clearly text or part has been saved to an internal buffer. The virtual machine is also referred to as a general-purpose decryption device that it does not have to know the encryption algorithm of the virion in advance, but by tracking the decryption process of the virus itself. As for how the virtual machine explains the instruction execution, how to determine that the executable code has a loop-free decision section will be described in the next section. 2.3 Virtual machine implementation technology detailed
With the introduction of the encrypted deformation virus, we know that the key to dynamic character scan technology is to obtain a clear text after the virus decryption, and the timing to which the plain text is generated is the decryption of the virus itself decrypt code. There are currently two ways to track each step of controlling the virus, and can read the viral states from the memory after the virus cycle decryption is completed. One is a single step and breakpoint tracking method, similar to the current program debugger; another method is of course a virtual execution method. The technical details of single-step and breakpoint tracking method and virtual execution method are analyzed below.
Single-step tracking and breakpoints are the most fundamental techniques for realizing traditional debuggers. Single step work principle is simple: When the CPU will check the logo register before executing a command, if the trap flag is found, it will cause a single step trap INT1H after the instruction is executed. As for the setup of the breakpoint, the software breakpoint is that the adjuster is used to replace the first byte of destruction to trigger the instruction in a single-byte break point command (CC, ie INT3H), which is executed to the breakpoint At the command, the default debug exception handling code will be called, and the segment / offset address saved in the stack is the address of one byte after the breakpoint instruction; the setting of the hardware breakpoint utilizes the processor itself. Support, the line-shaped address of the trigger command is set in the debug register (DR0 - DR4) and sets the relevant control bits in the debug control register (DR7), and the CPU automatically triggers debugging at the preset instruction.
And Windows itself provides a set of debug APIs, making debugging tracking a program is very simple: the debugger itself does not have to hang the default debug exception processing code, but only call the WaitFordeBugevent Waiting for the debugging event; debugger Using the GetThreadContext suspended to get the context, set the trap marker in the flag register in the context, and finally make the settings take effect through the setthreadContext to make single-step debugging; the debugger can also call two powerful debug APIs -ReadProcessMemory and WriteProcessMemory are injecting breakpoint instructions to the address space of the debugged thread. According to the results of my reverse analysis, the VC debugger is directly written by this debug API. Using the above debugging technology You can write a fully equipped debugger like VC , then there is no reason to use it to be used to automatic decryption of virus code. The simplest method: Create a debug sub-process that is to be checked as the debugger, then use the above method to make a single step, whenever you receive an event with an Exception_Single_STEP exception code, you can analyze the strip The instruction executed in the mode is finally determined to determine the READPROCESSMEMORY to read the viral body clear text after the entire decryption process of the virus.
The only thing to use single-step and breakpoint tracking method is that it does not have to handle execution of each instruction - which means it does not need to write a large number of specific instruction processing functions, because all decryption code is performed, debugging The device is just the control of the clearance of the code being interrupted by a single step. However, the disadvantage of this method is also quite obvious: one is prone to virus, and the virus only needs to make simple stack checks, or directly calls IsDebugerPresent to determine that they are being debugged; their second due to no corresponding machine code Analyze modules, decodes of instructions, execute completely on the CPU, so it will result in an accurate access to perform detail and effectively control it. The three single step and breakpoint tracking method requires the real execution of the executable to be executed, that is, it will be run as a real process in the system running in its own address space, which is of course not allowed by the virus scan. Obviously, the single-step and breakpoint tracking method can be applied to the debugger, automatic shell, etc., but is not suitable for torch. The only shortcomings of using virtual execution methods are that it must handle execution of all instructions internally - this means that it needs to write a large number of specific instruction processing functions to simulate the execution effect of each instruction, where there is no time here The problem of control, because control will always be in the virtual machine. The software method is used to simulate the CPU is not easy, and it is necessary to have enough understanding of its mechanism, otherwise the simulation effect will be far from real implementation. Two examples: One is a multiplication ASCII adjustment command AAM that is commonly used by the virus, which is often used by the virus to test the advantages and disadvantages of the virus because there is unprecedented behavior. Typically, AAM is a double-byte instruction, and the opcode is D4 0A (in fact 0a implicitly represents the operand 10); however, it can also be explicitly specified as a single-byte instruction to any 8-bit immediate number, At this point the opcode is only D4.
The virtual machine must take into account the case of the latter specified divisor to ensure the correctness of the simulation results; there is an example of a processor response interrupt method, that is, the CPU will not immediately respond immediately after the interrupt is just opened, but must be separated. An instruction cycle. If the virtual machine does not take into account the mechanism, it is likely that the virtual execution process will not do with the real situation. However, the advantages of virtual implementation are also very obvious, and it is not possible to fill the uniform and breakpoint tracking method: First, it is impossible to be aware of virus because the virtual machine will be in its internal buffer. Virtual execution code sets a dedicated stack, so the stack check results are not actually executed (will not press the return address to the stack and the return address when the breakpoint is interrupted; secondly due to the calculation of the decoding and address of the virtual machine itself Therefore, it is possible to obtain details of each instruction and control; Finally, the most critical feature is that virtual execution has indeed "virtual" execution, the system does not generate the process of executor because the executor's register group And the executive elements such as stacks are implemented inside the virtual machine, so it can be considered to be executed in the virtual machine address space. In view of the advantages of virtual implementation, it is better to apply it to universal virus.
Typically, the virtual machine design can take one of the following three: self-contained virtual machine (SCCE), buffer code virtual machine (BCE), Finite Code Virtual Machine (LCE).
The self-contained virtual machine works like a real CPU. A instruction is taken from memory, decoded by scce, and is transmitted to the corresponding analog to the instruction, the next instruction continues this loop. The virtual opportunity contains a routine to decode the memory / register addressing operands, and then includes a routine set for simulating instructions that may be performed on the CPU. As you think, scce's code will become extremely huge and speed. However, SCCE is useful for an advanced anti-virus software. All instructions are processed inside, and virtual machines can make a very detailed report on each of the instructions, which will refer to each other to form an effective anti-drug system with each other. At the same time, the anti-virus program can most accurately control memory and port access because it handles the address decoding and calculation. The buffer code The virtual machine is a thumbnail of the science because it has a smaller size and faster execution speed relative to the SCCE. In BCE, an instruction is obtained from memory and is compared to a special instruction table. If it is not a special directive, it is made to decode the length of the instruction, and then all such instructions are imported into a small process that can simulate all non-special instructions. Special instructions only account for a small part of the entire instruction set, simulates in a particular small processing program. BCE reduces the number of instructions that must be specially processed by using all non-special instructions with a small universal handler, so that it cuts its own size and improves the execution speed. But this means that it will not truly limit access to a memory area, port, or other similar things, and it is impossible to generate the same comprehensive report provided by SCCE.
Finite code The virtual machine is a bit like a level of virtual system for universal decryption. LCE is actually not a virtual machine because it does not really simulates instructions, it simply tracks the register content of a piece of code, and may provide a small modified memory address table, or the called interrupt. thing. Choosing the reason for using LCE rather than a bigger and more complex system, even if support for very small number of instructions can be taken far on the way of decrypting the original encrypted virus, because the virus only uses a small portion of the Intel instruction set to encrypt Its main body. Using LCE, there is no significant cost of the entire Intel instruction set, bringing a huge growth of speed. Of course, this is at the expense of the unable to handle complex decryption blocks. When the LCE is useful when you need to perform a quick file scan, because a small but like Lce can be used to quickly check the suspicious behavior of the execution file, the SCCE algorithm will be used to use the SCCE algorithm for each file will result in slowness. Of course, if a file looks suspicious, the LCE can also start a full inspection of a SCCE code.
The following start introduce 32-bit self-contained code virtual machine W32encode (W32Encode.cpp, tw32asm.h, tw32asm.cpp as part of the check engine and other search clearance modules to rSENGINE.DLL). Since this is a fully designed and complex large commercial virtual machine, which inevitably contains specific processing of certain viruses, in order to make the virtual machine model clamps, I will make appropriate simplification when analyzing.
W32Encode works very simple: it first sets an analog register group (with a DWORD global variable to simulate a register within the real CPU, such as Eneax) initial value, initialize the execution stack pointer (a value of a quantity in the virtual machine STATIC INT Stack [ 0x20] To simulate the stack). Then enter a cycle, explain the head 256 instructions in the instruction buffer progbuffer, and if the virus is not found when the cycle exits, it can thus determine the non-encrypted variant virus. If you find that the encrypted cycle is found, the EncodeInst function is called repeatedly to perform a loop. The decryption process is decrypted in Dataseg1 or Dataseg2. The relevant partial code is as follows: W32encode0 overall flow control section code:
FOR (i = 0; i <0x100; i ) // First, virtual execution 256 instructions attempt to discover the virus circulation solution
{
IF (Instloc> = 0x280)
Return (0);
IF (Instloc Progseekoff> = Progendoff)
Return (0); // The following two judgment statements check the legality of the instruction location
SaveInstloc (); // Stores the offset of the current instruction in the instruction buffer
Hasaddnewinst = 0;
IF (! (j = parse ())) // a command in the virtual execution instruction buffer
Return (0); // Exit circulation when you encounter an unform
IF (j == 2) // Return value 2 Description Discovery to understand the passing
Break;
}
IF (i == 0x100) // does not find loop after executing 256 instructions
Return (0);
Preparse = 0;
PROCESSINST ();
if (! EncodeInst ()) // Call the decryption function Repeat the loop decryption process
Return (0);
Judgment of the loop in JMP appears:
IF ((LOC> = 0) && (LOC If (! isinstloc (LOC)) // Find transfers in the saved instruction pointer inSTLocarray ... // make the pointer value, if it is found, it can be determined that the loop appears. Else { ...... Return (2); // Return Value 2 Represents Discovery to understand the dense loop } The process of virtual execution per instruction in PARS is more complex: Typically Parse will get the first two bytes of the current instruction from acquiring the command buffer progbuffer and call the corresponding instruction processing function according to their value. . For example, when the first byte is equal to 0F and the second byte bit is equal to BE, it can be determined that this instruction is MOVSZX and simultaneously calls MOVSZX for processing. When executing a process of entering a specific instruction, the command length is first determined by judging the addressing mode (calling modRegrM or ModRegrm1) and the control is given to the SaveInst function. SaveInST calls the true instruction execution function W32ExecuteInst after saving the information of the instruction. This function and PARSE are very similar, it acquires two bytes of the current command from SaveInstbuf1 and calls the corresponding instruction analog function according to their values to complete the execution of a directive. The relevant part of the code is as follows: Command partial code in W32ExecuteInst: IF ((C & 0xF0) == 0x50) {IF (ExecutePushPop1 (C)) // Simulate PUSH and POP Return (gotonext ()); Return (0); } IF (c == 0x9c) {IF (ExecutePushf ()) // Simulation PUSHF Return (gotonext ()); Return (0); IF (c == (char) 0x9d) {IF (ExecutePOPF ()) // Simulate POPF Return (gotonext ()); Return (0); } IF ((c == 0xF) && ((C2 & 0xBe) == 0xbe))) {IF (i = executemovszx (0)) // Simulate Movszx Return (gotonext ()); Return (0); } 2.4 Analysis of virtual machine code The overall process control and the relevant code of the dispatched part have been analyzed in the previous chapter. The specific specific instruction simulation function is analyzed below, which is the essence of the virtual machine. I will deliver instructions into two categories of index log registers and dependent logo registers: 2.4.1 Analysis of the simulation function of the non-dependent flag register Simulation of PUSH and POP instructions: Static Int ExecutePushPop1 (INT C) { IF (c <= 0x57) {if (stackp <0) // Check the legality of the stack buffer before the stack Return (0); } Else IF (stackp> = 0x40) // Check the legality of the stack buffer before the stack Return (0); IF (c <= 0x57) { STACKP -; Enesp- = 4; // If it is a stack instruction, reduce the stack pointer before the stack } Switch (c) {Case 0x50: stack [stackp] = energyax; // simulation PUSH EAX Break; ...... Case 0x5f: Enedi = stack [stackp]; // Simulate PUSH EDI Break; } IF (c> = 0x58) { STACKP ; Enesp = 4; // If it is out of the stack instruction, add a stack pointer after the stack is out. } Return (1); } 2.4.2 Analysis of Dependent Flag Register Instruction Simulation Function Simulation of CMP instructions in CW32ASM class: Void CW32ASM :: CMPW (INT C1, INT C2) { Char flgreg; __ASM { MOV EAX, C1 / / Get the first operand MOV ECX, C2 // acquired the second operand CMP EAX, ECX / / Comparison Lahf // put the result of the comparison mark into AH MOV flgreg, AH // Save results in local variables flgreg } FlagReg = flgreg; // Save results in global variables FlagReg } Simulation of JNZ Directive in CW32ASM class: INT CW32ASM :: JNE () {INT I; CHAR flgreg = flagreg; // Initialize local variables Flgreg with saved FlagReg __ASM { MOV AH, FLGREG / / Set AH is the saved simulation register value Pushf // Save the virtual machine itself current flag register SAHF // put the analog flag register value into the real flag register MOV Eax, 1 JNE L // Execute JNZ POPF // Restore Virtual Machine Sign Register XOR EAX, EAX l: POPF // Restore Virtual Machine Sign Register MOV I, EAX } Return (i); // Return value 1 means need to jump } 2.5 anti-virtual machine technology Any matter is not perfect, impeccable, virtual machines are no exception. Due to the emergence of anti-virtual implementation technology, virtual machine torch is subject to a certain challenge. Here is a few more typical anti-virtual execution techniques: The first is to insert special instruction technology, that is, some people in the virus are inserted into special instructions such as floating point, 3DNOW, MMX to achieve anti-virtual implementation. Although the virtual machine uses software technology to simulate the work process of the real CPU, it is not true CPU, due to limited energy, the virtual machine's coder may implement support for the entire Intel instruction set, so when the virtual opportunity does not know Work will be stopped immediately. However, through the analysis and statistics of such viral code, we have found that these special instructions have not had any effects on the decryption of the virus, and their insertion is just to interfere with the work of virtual machines. In other words, the virus will not take this. The result of the calculation of the random garbage instruction. In this way, we can only construct a command length table for all special instructions corresponding to different addressing methods, without having to write a dedicated analog function for each special instruction. With this table, when the virtual machine can index the form of the command to obtain the length of the command to obtain the length of the instruction, then the current simulation instruction pointer (EIP) plus the command length to skip this Garbage instructions. Of course, there is another insurance method that is: After getting the length of the instruction, you can put this command we don't know in a buffer full of empty operation command (NOP), then we will jump into the buffer. Go, this is equal to letting the true CPU help us to perform this instruction, and the last step is of course placing the result in the real register back to our analog register. The advantage of this virtual implementation and real implementation brilliance is that even if the special instruction is meaningful for the virus, that is, the virus relies on its return results, the virtual machine can ensure the correct virtual execution result. Secondly, the structured abnormal processing technology, that is, the decryption code of the virus first sets its own exception handler, and then deliberately trigger an exception to turn the program process to a pre-established exception handler. This process transfer is the result of the CPU and the operating system mutual cooperation, and to a large extent, the operating system has played a lot. Since the current virtual machine only simulates the working process of the CPU without the protection check, it is not processed for the system mechanism. Therefore, there are two results in the face of an exception: one is that some designs defective virtual machines cannot determine the legality of the analog instruction, so that the simulation will cause the virtual machine to perform illegal operations; The two virtual machine determines that the analog directive belongs to illegal instructions, and the virtual execution immediately stops virtual execution immediately. Usually the purpose of the virus uses this technology is to place the true cyclic decryption code to the exception handler, so the virtual machine will stop working before entering the exception handler, so that the solution is the opportunity to escape the virtual execution. Thus, a good virtual machine should have the ability to discover and record the operation of the virus installation exception filtering function and automatically control the power of the anomalous processing function when it causes an exception. Once again, the entry point fuzzy (EPO), that is, the virus is inserted by inserting a jump instruction in the host code body without modifying the host code. Through the previous analysis, we know that virtual machine scanning viruses for efficient consideration of all code impossible for virtual execution of the test file, the usual practice is: Scan to check the file code entry, if there is no decryption cycle in the specified step number, This determines that the file does not carry an encrypted deformation virus. The reason why this technique can actually perform this assumption that the virtual machine is used: Since the virus is controlled from the host to half, the virtual machine first explains the execution of the host entrance. Procedure, of course, it is impossible to discoverse loops in the specified steps, resulting in a slide. If the virtual machine can increase the size of the specified step size, it is likely that the virus is inserted with the virus to track the decryption of the virus, but it is really difficult to determine the size of the prescribed steps: too large, will have a normal program. Detection time; too small, it is easy to generate a drain. But we don't have to worry about it, this virus is not much more difficult because of its technical difficulty. Without the help of disassembly and virtual implementing engines, the virus is difficult to locate a full command within the host to insert jump, and it is difficult to ensure that the depth of the inserted jump instruction is greater than the specified step number of the virtual machine, and No grasp the inserted jump instruction will be executed. There are also multi-threaded techniques, that is, the virus initiates additional working threads in the decryption part of the entry main thread, and places the true cyclic decryption code in the working thread. Since the multi-line switching schedule is managed by the operating system, our virtual machine can only be permitted by the presence of the thread exclusible, that is, the guarantee will never be robbed. As a result, the virtual machine will be difficult to simulate the enable multi-threaded work. Multi-threaded and structured exception handling two technologies have utilized a specific operating system mechanism to achieve the purpose of anti-virtual execution, so adding support for a specific operating system mechanism in a virtual CPU will be our future improvement goals. Finally, metapolymorphy, that is, the virus is not a versatile decrypted sub-encrypted viral body structure, and the overall variant is used. This virus is all changing, and there is no so-called "viral" clear text. Of course, it is very difficult to write. If the first few anti-virtual machine technology uses the defects in the virtual machine design, you can make up for the code to make up, then this meticular technology makes the dynamic characterization scan of the virtual machine completely invalid, we A more advanced approach such as behavioral analysis must be sought to be solved. main reference: David A. Solomon, Mark Russinovich "INSIDE Microsoft Windows 2000" September 2000 David A. Solomon "INSIDE Windows NT" May 1998 Prasad Dabak, Sandeep Phadke, Milind Borate "undocuplented windows nt" october 1999 Matt Pietrek "Windows 95 System Programming Secret" March 1996 Walter OneY "System Programming for Windows 95" March 1996 Walter OneY "Programming The Windows Driver Model" 1999 Lu Lin "Windows9x file read and write internal" 2001
