Embodiment
Method and device that the embodiment of the invention provides a kind of computer documents to detect are used to realize to static viral active defence.
The embodiment of the invention detects by structure attribute and the file attribute to the file of static state, select suspicious detection, give this detection weights according to the weight of each detection, utilize the appearance quantity of these weights and same suspicious detection to calculate the suspicious degree of detected file, according to the suspicious degree that calculates determine this document whether infected virus.The embodiment of the invention realizes the active defence to static virus by the detection to static file.
The computer documents pick-up unit of selecting to utilize the embodiment of the invention to provide as the user of operating terminal begin in the sense terminals file whether infected virus, begin to enter in the computer documents detection method step that the embodiment of the invention provides.
The method flow diagram that the computer documents that seeing also Fig. 1 and be the embodiment of the invention provides detects.
When beginning to detect, at first open file and read file, execution in step 101 then.
The validity of step 101, detection file;
For accelerating the detection speed of file, after opening file, at first detect the validity of file, prevent that spended time detects on invalid file.
The embodiment of the invention is an example to detect the word file.Whether the validity that detects file mainly equals a preset value by e_magic item in reflection DOS head (IMAGE_DOS_HEADER) structure in the detection file structure attribute, IMAGE_DOS_SIGNATURE for example, if unequal then be invalid executable file (PE file); Find reflection NT head (IMAGE_NT_HEADER) position if equate the address of then pointing to according to e_lfanew item in the reflection DOS header structure in the structure attribute, whether PE file identification (Signature) item of relatively videoing in the NT header structure equals " PE00 ", if equate then to think effective PE file; Otherwise it is not the file of effective PE structure that display message is represented this document, and then this document is invalid; It is effective PE structured file that this step detects file.If detecting the file of opening is effective file, execution in step 102 is an inactive file if detect the file of opening, directly detection of end.
The structure attribute of step 102, detection file;
The structure attribute that detects file specifically comprises: every in the reflection DOS head in the detection architecture attribute; It is every to detect image file head (IMAGE_FILE_HEADER); It is every to detect optional reflection head (IMAGE_OPTIONAL_HEADER); Detection segment reflection head (IMAGE_SECTION_HEADER) is every.
Every specific as follows in the reflection DOS head in the detection architecture attribute:
E_lfanew item in the reflection DOS head in the structure attribute
If the numerical value of this item exceeds file size to be detected or less than 0x10, then thinks suspicious.
It is every specific as follows to detect the image file head:
Number Of Sections item in the image file head;
This numerical value mostly is 4 under the normal condition, if the numerical value of this item is less than 3 then think apocrypha.
Detect in the optional reflection head every specific as follows:
Base Of Code item in the section reflection head;
This numerical value of apocrypha is not equal to arbitrary section start address, that is: not in arbitrary section.Or start address is unusual, and under Win32, start address mostly is under the normal condition: 0x1000,0x10000000,0x00400000.If not that these numerical value are then thought is suspicious.
If the start address that this numerical value equals a certain section, but the section name (Name item among the IMAGE_SECTION_HEADER) of this section is then thought suspicious if not common " .text ", " .rsrc ".
BaseOfData item in the section reflection head;
This numerical value of apocrypha is not equal to arbitrary section start address, that is: not in arbitrary section, or this numerical value is then thought suspicious less than 0x400.
If the start address that this numerical value equals a certain section, but the section name (Name item among the IMAGE_SECTION_HEADER) of this section is also thought suspicious if not common " .data ".
ImageBase item in the section reflection head;
If this numerical value is then thought suspicious greater than 0x20000000.
FileAlignment item in the section reflection head;
If this numerical value is not equal to 0x200 and then thinks suspicious.
CheckSum item in the section reflection head;
Virus and some illegal programs when revising the PE file layout, often put 0 with this, and the file of normal compilation device compiling has correct numerical value.If this is 0, then think suspicious.
VirtualAddress and the Size item of Import table in the section reflection head;
As IMAGE_OPTIONAL_HEADER32->DataDirectory[1] numerical value of .Size is greater than 0 and then think suspicious less than 0x28;
Resource item in the section reflection head;
Also have the structural unusual of alternative document in addition, for example:
Include the PE file in the resource section again:
The resource section of ordinary file is generally deposited contents such as the relevant bitmap of the icon, file of file, version information.If finding to have occurred again in resource section is the PE file of sign with MZ, then may be virus to a great extent.Virus can discharge the PE file in this section when operation.
Virtual Address and the Size item of Relocation table in the section reflection head
As the value of Virtual Address in: the I section reflection head greater than 0 and then think suspicious less than 0x48.
As: the numerical value of Size is greater than file size to be measured or then think suspicious less than 0x0c;
The VirtualAddress of TLS table and Size item among the IMAGE_OPTIONAL_HEADER32
As IMAGE_OPTIONAL_HEADER32->DataDirectory[9] .VirtualAddress is greater than 0 and less than 0x48, then thinks suspiciously.
The VirtualAddress and the Size item of BoundImport table among the IMAGE_OPTIONAL_HEADER32
As IMAGE_OPTIONAL_HEADER32->DataDirectory[11] numerical value of .Size is greater than file size to be measured or then think suspicious less than 0x20;
The VirtualAddress and the Size item of IAT table among the IMAGE_OPTIONAL_HEADER32
As IMAGE_OPTIONAL_HEADER32->DataDirectory[12] numerical value of .Size then thinks suspicious greater than file size to be measured;
It is every specific as follows to detect IMAGE_SECTION_HEADER:
Need to prove: when detection IMAGE_SECTION_HEADER is every, at first to be positioned to segment table (SECTION TABLE), carry out the every detection of IMAGE_SECTION_HEADER behind the location, after the every detection of IMAGE_SECTION_HEADER finishes, locate next IMAGE_SECTION_HEADER item, if no next IMAGE_SECTION_HEADER item then finishes the every detection of IMAGE_SECTION_HEADER; If navigate to next IMAGE_SECTION_HEADE item, it is every to continue to detect next IMAGE_SECTION_HEADER.
Name item among the IMAGE_SECTION_HEADER:
This is one 8 bit ASCII, how to start with ". "; Common section name: " .text ", " .data. ", " .code ", " .rsrc ", " .reloc "..text deposit instruction code .data deposits initialized data, and .idata comprises function and the data message of other external DLL, i.e. input is shown, .rsrc whole resource datas of storage module .reloc deposits the base address and resets bit table, and .edata deposits the output table of file.Apocrypha and virus document often use some random names to define these common section names.As: " the PS vegetarian salts down " " Bohai Sea @ " or directly be null character (NUL), then think suspicious.
Pointer To RawData item in the section reflection head;
This piece has certain skew in disk file, if this by zero setting, then thinks suspicious.
Size Of RawData item among the IMAGE_SECTION_HEADER;
This piece shared size in disk file, certain this value of section is zero in the if block table, and this document textural anomaly is described, thinks suspicious.
Characteristics item among the IMAGE_SECTION_HEADER;
That is: the section attribute.This is to judge whether suspicious important symbol.This field is one group of sign of pointing out the piece attribute, and a plurality of sign summations are the Characteristics value, and following is some common signs:
Field value |
Purposes |
IMAGE_SCN_CNT_CODE |
Comprise run time version |
00000020h |
|
IMAGE_SCN_CNT_INITIALIZED_DATE 00000040h |
Comprise initialized data |
IMAGE_SCN_CNT_UNINITIALIZED_DATE 00000080h |
The data that comprise no initializtion |
IMAGE_SCN_MEM_DISCARDABLE 02000000h |
Can be dropped |
IMAGE_SCN_MEM_SHARED 10000000h |
Share piece |
IMAGE_SCN_MEM_EXECUTE 20000000h |
Can carry out normal and 00000020 use simultaneously |
IMAGE_SCN_MEM_READ 40000000h |
Readable |
IMAGE_SCN_MEM_WRITE 80000000h |
Can write |
As: Characteristics value: C0000040h=40000000h|80000000h|00000040h represents that this piece is readable, can write, and contains initialization data.
Common have the section name that can write sign: .data, DATA, BSS .tls .idata .adata.Can write sign if certain section has, and don't be common these sections name, just more suspicious.
For example: certain section Characteristics value is 80000000h, and expression can be write, but its Name is not the above section name that can write sign that has, and then thinks suspicious.
After having detected the structure attribute of file, execution in step 103.
The file attribute of step 103, detection file;
The file attribute that detects file specifically comprises: detect file resource, detect the file General Properties, detect file version information.
Detect the every specific as follows of file attribute:
The file General Properties: for apocrypha, the file General Properties can be hidden usually.For convenience, embodiment of the invention file General Properties is meant the extension name of file, the size of file, the memory location of file, the information such as creation-time of file.
Filename: for apocrypha, filename may be changed, virus often disguise oneself as iexporer, svchost etc. and have () []~etc. special symbol.
The resource information of file:, generally do not have resource information for apocrypha or virus document.
The copyright information of file:, generally do not have normal copyright information for apocrypha or virus document.
The inlet feature of each section:, contain jump instruction at the inlet of section for apocrypha or virus document.
Need to prove that the file attribute that detects the structure attribute of file and file is order in no particular order, and specifically detect structure attribute every of file and detect every also order in no particular order of the file attribute of file.
Step 104, select suspicious detection;
According to the rule described in step 102 and the step 103, select suspicious detection.
Step 105, give weights for suspicious detection;
Give detection corresponding weights according to the weight of detection in total attribute and file attribute.
Illustrate each detection weights as following table
Detection |
Weights |
E_lfanew item among the IMAGE_DOS_HEADER |
15 |
NumberOfSections item among the IMAGE_FILE_HEADER |
2 |
BaseOfCode item among the IMAGE_OPTIONAL_HEADER32 |
5 |
BaseOfData item among the IMAGE_OPTIONAL_HEADER32 |
5 |
ImageBase item among the IMAGE_OPTIONAL_HEADER32 |
3 |
FileAlignment item among the IMAGE_OPTIONAL_HEADER32 |
5 |
CheckSum item among the IMAGE_OPTIONAL_HEADER32 |
5 |
IMAGE_OPTIONAL_HEADER32->DataDirectory[1] the .VirtualAddress item |
5 |
IMAGE_OPTIONAL_HEADER32->DataDirectory[1] the .Size item |
5 |
IMAGE_OPTIONAL_HEADER32->DataDirectory[5] the .VirtualAddress item |
5 |
IMAGE_OPTIONAL_HEADER32->DataDirectory[5] the .Size item |
5 |
Name item among the IMAGE_SECTION_HEADER |
7 |
Step 106, same suspicious the appearance quantity of statistics;
SECTION TABLE may have a plurality of hereof, each detection among each SECTIONTABLE of cycle detection.Each detection all exists at each SECTION TABLE, and the suspicious degree of a plurality of same detections is added up.Therefore carry out this step, add up same suspicious weights.
The suspicious degree of step 107, calculation document;
Computing formula is as follows:
Suspicious degree=the detection 1 of file suspicious quantity * weights 1+ detection 2 occurs and the suspicious quantity * weights 3+... of suspicious quantity * weights 2+ detection 3 appearance occurs.
The corresponding weights of each detection, after calculating obtains the suspicious degree of file, execution in step 108.
As: each detection below in certain file meets suspicious condition.
E_lfanew item among the IMAGE_DOS_HEADER, 1 of quantity
NumberOfSections item among the IMAGE_FILE_HEADER, 1 of quantity
BaseOfCode item among the IMAGE_OPTIONAL_HEADER32,1 of quantity
The BaseOfData item of IMAGE_OPTIONAL_HEADER32 kind, 1 of quantity
FileAlignment item among the IMAGE_OPTIONAL_HEADER32,1 of quantity
CheckSum item among the IMAGE_OPTIONAL_HEADER32,1 of quantity
IMAGE_OPTIONAL_HEADER32->DataDirectory[1] the .Size item, 1 of quantity
Name item among the IMAGE_SECTION_HEADER, 2 of quantity
Suspicious degree=the 15+2+5+5+5+5+5+2*7=56 of this document then
Step 108, with the suspicious degree of file with preset suspicious standard relatively;
Generally presetting suspicious standard is 20, when the suspicious degree of calculation document surpasses or equals 20, and execution in step 109; The suspicious degree that aforementioned calculation obtains file is 56, and promptly execution in step 109; If the suspicious degree that calculates above-mentioned file thinks that then this document is normal file, not infected virus less than 20.
Step 109, demonstration apocrypha, and show that this document is an apocrypha;
For making things convenient for the terminal user to learn the file of the infected virus of possibility, with the defence of taking the initiative, the embodiment of the invention greater than the suspicious standard that presets, shows this apocrypha at the suspicious degree of the file that calculates, and corresponding demonstration this document is an apocrypha.
So far, detection for a file finishes, the computer documents pick-up unit that the embodiment of the invention provides begins the detection of next file, if detected the All Files that the terminal user chooses, warning terminal user detects and finishes, and shows that all detected suspicious degree reach the file that presets suspicious degree.In addition, need to prove, the detection unusual condition of describing file structure attribute and file attribute in the method step 102,103 that embodiment of the invention computer documents detects can upgrade according to the continual renovation of ordinary file or virus document, and the embodiment of the invention does not limit this; In addition, the structure attribute of file and all of file attribute are every and the detection unusual condition of all every correspondences, those skilled in the art can judge the unusual condition of all detections as the case may be, do not give unnecessary details at this.
The embodiment of the invention greater than the suspicious standard that presets, shows this apocrypha at the suspicious degree of the file that calculates, and corresponding demonstration this document is an apocrypha.Make things convenient for the terminal user learn may infected virus file, with the defence of taking the initiative.
The following system embodiment that the application method that the computer documents that the embodiment of the invention provides detects is provided.
The installation drawing that the computer documents that seeing also Fig. 2 and be the embodiment of the invention provides detects.
As shown in the figure, the device that detects of the computer documents that provides of the embodiment of the invention comprises:
Detecting unit 110 is used to detect the attribute of file, selects suspicious detection, and described attribute comprises structure attribute and file attribute;
Assignment unit 120 is used to described suspicious detection to give weights;
Statistic unit 130 is used to add up the appearance quantity of same suspicious detection;
Computing unit 140 is used to use the appearance quantity of the weights of described suspicious detection and described same suspicious detection to calculate the suspicious degree of described file;
Comparing unit 150, be used for the suspicious degree of described file with preset suspicious standard relatively, if described suspicious degree is greater than presetting suspicious standard, then described file is an apocrypha, if described suspicious degree is less than presetting suspicious standard, then described file is non-apocrypha.
After detecting suspicious file, the computer documents pick-up unit that the embodiment of the invention provides also comprises:
Display unit 160 is used for showing described apocrypha when described file is apocrypha, and shows that described file is an apocrypha.
In addition, for reducing the detection time of detecting inactive file, accelerate detection speed, the device that described computer documents detects also comprises:
Whether file detecting unit 170, it is effective to be used to detect the file of opening.
When detecting the structure attribute of file, if there are a plurality of SECTION items in the file structure attribute, the described computer documents pick-up unit that the embodiment of the invention provides also comprises:
Positioning unit 180 is used for locating the segment table of described file structure attribute when detecting described file structure attribute.
Computer documents detection method and device that the embodiment of the invention provides can be used as independent testing tool, also can be used in combination with present antivirus software.Also can look in the poison in data stream, grasp the message of file transfer and do reduction, the computer documents detection method of using the embodiment of the invention to provide to the file that restores detects then.
Example: most of viruses are downloaded to this locality and move then in HTML (Hypertext Markup Language) (HTTP, Hypertext, Transfer Protocol) mode on the internet at present; After can flowing packet capturing and do reduction http data, obtain the original that virus transmits, the computer documents detection method of using the embodiment of the invention to provide afterwards detects whether be apocrypha.
More than the method and the device of a kind of virus defense provided by the present invention is described in detail, for one of ordinary skill in the art, thought according to the embodiment of the invention, part in specific embodiments and applications all can change, in sum, this description should not be construed as limitation of the present invention.