CN102867144B - A kind of for detecting the method and apparatus with dump virus - Google Patents

Abstract

The invention discloses a kind of for detecting the method and apparatus with dump virus.Described method comprises: utilize scripting language for detecting with the script of dump virus and be binary virus base file by described script compile; For the check processing of detection computations machine virus, it comprises: based on the multiple viral record comprised in described virus base file, carries out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure to file to be detected; The result of localization process is carried out calculation process and/or logic control process as variable; Based on the multiple viral record comprised in described virus base file, carry out matching treatment to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment; And virus sweep process is carried out to the one or more files to be detected mated in recording with described multiple virus.

Description

A kind of for detecting the method and apparatus with dump virus

Technical field

The present invention relates to computer security, being specifically related to a kind of for detecting the method and apparatus with dump virus.

Background technology

Using signature scan to carry out Virus Sample identification is the checking and killing virus technology that computer anti-virus uses the earliest.Anti-virus development in decades, although there is again the checking and killing virus technology such as behavior killing, but signature scan is with features such as it are accurate and stable, being still that current mainstream computer anti-viral software virus identifies the major technique adopted, is the basic technology in current antivirus techniques.

Signature scan refers to the method adopting the virus characteristic extracted in advance to scan unknown sample and judge.The extraction of feature is after being defined as virus by manual analysis or automatic analysis identification, the scale-of-two extract Virus Sample or further feature, this feature be this kind of virus exclusive, be different from other virus or normal file.During virus investigation, anti-viral software uses the feature in its virus base to scan unknown file successively, if the success of a certain characteristic matching, then represent the virus of this file representated by this feature, if all features are not all mated, then thinking that this file is not virus, is normal file.

Signature scan is basically a kind of feature identification decision technology, and it not only may be used for scanning and judges virus, also may be used for scanning and judges normal file, be also widely used in the judgement of normal sample at present in anti-viral software.Signature scan technology has accurately, rate of false alarm is low, the simple advantage of actualizing technology, its technology maturation, is therefore still the major technique that in antivirus techniques, virus identifies at present.But meanwhile, signature scan technology also has obvious shortcoming, and it is low to the recognition capability of the virus of polymorphic and metamorphic, encryption, and can not identify unknown virus.

Except signature scan, viral recognition technology conventional in current anti-virus also has " behavior killing " technology, its ultimate principle refers to the sample run or in anti-viral software in controllable environment, and (common is anti-virus virtual machine) runs sample, by recording and judging that the operation action of sample identifies virus.Behavior killing technology has can the ability of killing unknown virus, but rate of false alarm height is its still insurmountable disadvantage at present.

The antivirus technique that anti-viral software uses, mainly refers to its Scavenging activity to infection type Virus Sample (normal file of infected type virus infections), for non-infection type virus, then simply deletes.The removing of infection type virus, two kinds of methods that the virus killing record that main employing uses at present is killed virus and hard coded is killed virus.The virus killing of virus killing record refers to, writes virus killing record after analyst's analytical test, and after judging virus during killing, the virus method performed in corresponding virus killing record is killed virus.What describe in virus killing record is the virus method (as update routine entrance, intercepting tail of file etc.) of its antivirus engine support and the combination of parameter.Hard coded virus killing refers to that writing special program code kills virus, and it is applied to virus killing situation comparatively complicated situation, such as viral special anti-virus tool.

Here the antivirus engine ClamAV that increases income is selected to be that example is analyzed for traditional antivirus engine.ClamAV antivirus engine checking and killing method mainly comprises following several:

-MD5(Message Digest Algorithm 5, Message Digest Algorithm 5) feature: virus analysis person for virus document generates corresponding MD5 as its feature.ClamAV engine by MD5 as its virus characteristic;

-based on PE(Portable Execute, portable performs) the MD5 feature of file section: one of them joint of viral PE file as its file characteristic, will be saved the corresponding MD5 of data genaration as its virus characteristic by virus analysis person.

-code characteristic: code characteristic is very traditional a kind of virus characteristic extracting mode.Virus analysis person will have the binary data of particular meaning as virus characteristic in PE file, the scale-of-two usually selecting viral code is virus characteristic as data.The code characteristic of ClamAV is not only coupling binary data, also supports asterisk wildcard, and part regular expression, also supports that the expansion based on file layout is mated, supports logically feature.

-PE file icon feature: the icon of oneself often disguises oneself as the icon of non-portable execute file by the virus on Windows, so ClamAV provides the feature of icon as virus.

Above feature is all based on ClamAV antivirus engine architecture.ClamAV antivirus engine is the antivirus engine based on algorithm, and the algorithm of its core is B-M single mode matching algorithm and A-C multimode matching algorithm.

Because the structure of traditional antivirus engine (as above-mentioned ClamAV) is based on algorithm, so cause following two obvious problems:

1. virus characteristic is chosen dumb: here dumb is embodied in two aspects, and it is dumb to be that virus analysis person chooses virus characteristic on the one hand, and it is dumb to be that virus analysis person expands new virus characteristic on the other hand; Do not provide logical relation between the checking and killing method that ClamAV is different.Such as use the MD5 feature of PE file section can not combine use with code characteristic.Although code characteristic provides the function of certain logic coupling, if in the face of polymorphic and metamorphic virus, the function of its logic coupling still cannot meet the demand accurately detected.Vrut earlier version as viral in common polymorphic and metamorphic is a set of by choosing from two cover cryptographic algorithm at random, and a random generation double secret key virion code is encrypted; Decrypted code is then generated by a polymorphic engine and carries out polymorphic conversion, makes its virion code characteristic of file of the every subinfection of vrut all completely different.Therefore the logic coupling provided by means of only ClamAV code characteristic cannot carry out accurate killing to it.And if its virus characteristic choosing method to be expanded to this antivirus engine based on algorithm, because its virus characteristic choosing method and engine coupling are spent greatly, cause being difficult to expand.Outside former algorithm, newly-increased scanning process, take efficiency as cost.Be exactly newly-increased scanning process before the scanning of its code characteristic as ClamAV increases MD5 mark scanning newly; Be exactly revise the algorithm in former engine, the A-C multimode matching algorithm in ClamAV engine is exactly improved algorithm, with simple in support code feature logical operation, asterisk wildcard etc.

2. detect virus efficacy low: for the detection efficiency of antivirus engine, Main Bottleneck is in input and output, if can effectively export by control inputs, then the efficiency of virus investigation just has great raising.But by above process, can see, ClamAV is not optimized for input and output.MD5 characteristics determined must carry out full text traversal to detection file.In addition because A-C multi-modulus algorithm needs to set up state machine before matching, and virus base record is larger, then the required time and space of state machine foundation is more.

Summary of the invention

In view of the above problems, propose the present invention, so as to provide a kind of overcome the problems referred to above or solve the problem at least in part for detecting and the method for dump virus and corresponding device.

According to one aspect of the present invention, providing a kind of for detecting the method with dump virus, comprising:

Utilize scripting language for detecting with the script of dump virus and be binary virus base file by described script compile;

For the check processing of detection computations machine virus, it comprises:

-based on the multiple viral record comprised in described virus base file, carry out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure to file to be detected;

-result of localization process is carried out calculation process and/or logic control process as variable;

-based on the multiple viral record comprised in described virus base file, carry out matching treatment to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment; And

Virus sweep process is carried out to the one or more files to be detected mated in recording with described multiple virus.

Described script uses expandable mark language XML to be described.

Described portable execute file structure comprises the skew of the skew of portable execute file entrance, the skew of portable execute file head, the skew of portable execute file data directory, the skew of portable execute file additional data, the skew of portable execute file joint table and/or portable execute file joint.

Described localization process comprises: call, jmp, jcc and/or loop instruction of resolving according to simulation CPU (central processing unit), positions process.

Each virus record in described multiple virus record has respective file characteristic,

Described based on described virus base file in the multiple viral record that comprises, to file to be detected carry out based on document misregistration, memory mapping skew and/or portable execute file structure localization process step in, check the file characteristic of described file to be detected, and based on the viral record that file characteristic and described file to be detected meet, file to be detected is carried out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure.

Described matching treatment supports wild symbol and floating search, comprises one or more following process:

Utilize opcode, operand, the length of the instruction at the result place of described calculation process and/or logic control process, carry out matching treatment;

The file compiler information utilizing the entry instruction sequence by analyzing portable execute file to obtain, carries out matching treatment;

Utilize the attribute information of described file to be detected, resource information and/or version information, carry out matching treatment;

Utilize importing function information and/or the derivative function information of portable execute file, carry out matching treatment, described importing function information comprises the quantity and the title that import module and import function, and described derivative function information comprises the quantity and title that derive module and derivative function; And

Utilize the described position of file to be detected and the hashed value of length, carry out matching treatment.

Described calculation process comprises and adds, subtracts, multiplication and division, logical and, logical OR, is shifted, compares process.

Described logic control process comprises redirect process and returns process, and wherein said redirect process comprises have ready conditions redirect process and unconditional redirect process, return process comprise have ready conditions return process and unconditional return process.

Each virus record comprise for a kind of computer virus, how record to position many Detection Information of process, calculation process and/or logic control process and matching treatment and record many removing information of virus sweep process of how carrying out,

Described check processing comprises: for each viral record, utilize described many Detection Information, file to be detected is comprised to the check processing of localization process, calculation process and/or logic control process and matching treatment, in described check processing, if each Detection Information in described many Detection Information is all successfully executed, then described file to be detected is judged to be containing virus document.

The step of file to be detected being carried out to virus sweep process comprises: remove information according to many in the virus record of correspondence, carries out virus sweep process to described containing virus document.

Described following one or more process are comprised to described step of carrying out virus sweep process containing virus document:

Delete described containing virus document;

The described entry point address containing virus document of amendment;

To the described specific region writing data blocks containing virus document;

Described containing copied chunks in virus document;

Delete the described specific file section containing virus document, and the described form containing virus document is adjusted;

Delete the described data containing the specific size of virus document head and/or afterbody;

The described size containing virus document is set.

According to a further aspect in the invention, providing a kind of for detecting the device with dump virus, comprising:

Script edit and collector, for utilizing scripting language for detecting with the script of dump virus and be binary virus base file by described script compile;

Detection module, for the check processing of detection computations machine virus, it comprises:

-locator module, for based on the multiple viral record comprised in described virus base file, carries out the localization process based on document misregistration, memory mapping skew and/or portable execute file structure to file to be detected;

-computing and logic control submodule, for carrying out calculation process and/or logic control process using the result of localization process as variable;

-matched sub-block, for based on the multiple viral record comprised in described virus base file, carry out matching treatment to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment; And

Remove module, for carrying out virus sweep process to the one or more files to be detected mated in recording with described multiple virus.

Described script uses expandable mark language XML to be described.

Described portable execute file structure comprises the skew of the skew of portable execute file entrance, the skew of portable execute file head, the skew of portable execute file data directory, the skew of portable execute file additional data, the skew of portable execute file joint table and/or portable execute file joint.

Described localization process comprises: call, jmp, jcc and/or loop instruction of resolving according to simulation CPU (central processing unit), positions process.

Each virus record in described multiple virus record has respective file characteristic,

The file characteristic of file to be detected described in described locator module check, and based on the viral record that file characteristic and described file to be detected meet, file to be detected is carried out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure.

Described matching treatment supports wild symbol and floating search, comprises one or more following process:

Utilize opcode, operand, the length of the instruction at the result place of described calculation process and/or logic control process, carry out matching treatment;

The file compiler information utilizing the entry instruction sequence by analyzing portable execute file to obtain, carries out matching treatment;

Utilize the attribute information of described file to be detected, resource information and/or version information, carry out matching treatment;

Utilize importing function information and/or the derivative function information of portable execute file, carry out matching treatment, described importing function information comprises the quantity and the title that import module and import function, and described derivative function information comprises the quantity and title that derive module and derivative function; And

Utilize the described position of file to be detected and the hashed value of length, carry out matching treatment.

Described calculation process comprises and adds, subtracts, multiplication and division, logical and, logical OR, is shifted, compares process.

Described logic control process comprises redirect process and returns process, and wherein said redirect process comprises have ready conditions redirect process and unconditional redirect process, return process comprise have ready conditions return process and unconditional return process.

Each virus record comprise for a kind of computer virus, how record to position many Detection Information of process, calculation process and/or logic control process and matching treatment and record many removing information of virus sweep process of how carrying out,

Described detection module is for each viral record, utilize described many Detection Information, file to be detected is comprised to the check processing of localization process, calculation process and/or logic control process and matching treatment, in described check processing, if each Detection Information in described many Detection Information is all successfully executed, then described file to be detected is judged to be containing virus document.

Described removing module removes information according to many in the virus record of correspondence, carries out virus sweep process to described containing virus document.

Described removing module performs following one or more process:

Delete described containing virus document;

The described entry point address containing virus document of amendment;

To the described specific region writing data blocks containing virus document;

Described containing copied chunks in virus document;

Delete the described specific file section containing virus document, and the described form containing virus document is adjusted;

Delete the described data containing the specific size of virus document head and/or afterbody;

The described size containing virus document is set.

The invention provides that a kind of described method and device can use in virtual machine for detecting the method and apparatus with dump virus, can be used for Malware (virus) behavioural analysis, looking into/kill virus, the field such as shelling.According to embodiments of the invention, use XML to come description script language and viral record, be convenient to the viral record of management and retrieval magnanimity, can be binary virus base file by script compile simultaneously, guarantee high-level efficiency when virus being detected and removes.The present invention utilizes the script of similar x86 assembly instruction to describe viral record, to provide the flexible control ability of similar compilation and the high behavior level of abstraction.Each according to an embodiment of the invention process itself is relatively simple, but due to framework enough flexible, the viral record suitable with compilation complexity can be write out.Present invention greatly enhances dirigibility and the efficiency of traditional characteristic code killing technology, improve the applicability of condition code killing technology for polymorphic and metamorphic virus, virus family killing.The present invention adopts GUID as unique description of process, thus has very strong extendability, as long as defer to certain specification, can increase new process, and can't affect original detection and remove process and viral record.Most of process in the present invention do not relate to system input-output operation, and part process only relates to the input-output operation of minute quantity, so detect and remove viral speed quickly.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 is according to an embodiment of the invention for detecting the process flow diagram with the method for dump virus; And

Fig. 2 is according to an embodiment of the invention for detecting the block diagram with the device of dump virus.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

Fig. 1 is according to an embodiment of the invention for detecting the process flow diagram with the method for dump virus.As shown in Figure 1, in the method 100 for detecting with dump virus, at the beginning, step S101 is performed: utilize scripting language for detecting with the script of dump virus and be binary virus base file by described script compile.

According to embodiments of the invention, described script uses XML(eXtensible MarkupLanguage, extend markup language) be described.The statement of script is made up of different functional based method, and functional based method can be divided into check processing and the large class of virus sweep process two.The fundamental purpose of check processing detects virus, and virus sweep process then can operate the file confirming as virus, to reach the object of deleting or removing virus.

According to embodiments of the invention, described script is compiled into binary virus base file, only needs when detecting virus and removing to read this binary virus base file.Described script utilizes xml language to scan.Each process has unique GUID(Globally UniqueIdentifier, Globally Unique Identifier), to ensure to produce conflict when calling process between each process.Re-use the label of xml to scan the parameter of this process.Such as:

<stdmethod alias="L_File"base="File"offset="2"target="FILE"clsid="{877289A9-2E55-4aa8-A94A-5EE7412F887C}″/>

An above xml label describes the localization process in described script.Clsid is unique GUID of localization process, calls corresponding Parameter analysis of electrochemical process change process when compiling by this clsid.

After step S101, perform the check processing being used for detection computations machine virus, it comprises: step S103a, based on the multiple viral record comprised in described virus base file, carry out based on document misregistration, memory mapping skew and/or PE(Portable Execute file to be detected, portable performs) localization process of file structure; Step S103b, carries out calculation process and/or logic control process using the result of localization process as variable; Step S103c, based on the multiple viral record comprised in described virus base file, carry out matching treatment to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment.

According to embodiments of the invention, described PE file structure comprises the skew of PE document entry point, the skew of PE file header, the skew of PE file data catalogue, the skew of PE file additional data, the skew of PE file section table and/or the skew of PE file section.After localization process successful execution, meeting restoring to normal position address result on running stack, uses for other process.

In addition, as the expansion for localization process, call, jmp, jcc and/or loop instruction can resolved according to simulation CPU (central processing unit), based on the multiple viral record comprised in described virus base file, positions process.

According to embodiments of the invention, each virus record in described multiple virus record has respective file characteristic, in described step S103a, check the file characteristic of described file to be detected, and based on the viral record that file characteristic and described file to be detected meet, localization process is performed to described file to be detected.For example, described file characteristic can be the compiler information of file, in step S103a, first checks the compiler information of file to be detected, and based on the viral record that compiler information and this file meet, comes to perform localization process to this file.Like this, when virus base file comprises a large amount of virus record, only need to utilize those viruses met with a certain file characteristic of file to be detected to record and file to be detected is detected, improve the efficiency of detection.

After having carried out above-mentioned localization process, the result of this localization process computing and/or logic control process are carried out as variable.The process relating to above-mentioned variable can comprise the process of constant variable, reference to variable process, load variable process.The process of constant variable is similar to the common variables in C language, for user provides the method directly arranging variable; Reference to variable process is similar to the pointer variable in C language, for user provides the method quoting other process result of calculation; Loading variable process is special processing, can read the value of detection file assigned address as variable.

According to embodiments of the invention, described calculation process comprises and adds, subtracts, multiplication and division, logical and, logical OR, is shifted, compares process, the operational method that itself and x86 collect is similar, and operand is stack variable and the register of script according to an embodiment of the invention.

According to embodiments of the invention, described control treatment can be similar to the control treatment of x86 compilation, and control treatment is divided into two large classes, and a class is redirect process, and another kind of is return process.Redirect process can revise current execution sequence, and jump to the process of specifying and start to perform, redirect process can be similar to the jump instruction in x86 compilation, comprises conditional jump and unconditional redirect; Return process and can terminate current detection (removing) process immediately, and appointment can be shown return results as killing target or non-killing target, return process also can collect with x86 in jump instruction similar, the condition of comprising returns and returns with unconditional.

According to embodiments of the invention, the matching treatment of step S103c supports wild symbol and floating search, and can comprise one or more following process:

-utilize opcode, operand, the length of the instruction at the result place of described calculation process and/or logic control process, carry out matching treatment;

The file compiler information utilizing the entry instruction sequence by analyzing portable execute file to obtain, carries out matching treatment;

Utilize the attribute information of described file to be detected, resource information and/or version information, carry out matching treatment, described attribute information can comprise filename, file size etc., and described resource information comprises the type, size, title etc. of resource;

Utilize importing function information and/or the derivative function information of portable execute file, carry out matching treatment, described importing function information comprises the quantity and the title that import module and import function, and described derivative function information comprises the quantity and title that derive module and derivative function; And

Utilize the described position of file to be detected and the hashed value of length, carry out matching treatment.

According to embodiments of the invention, perform by above-mentioned localization process and matching treatment are separated, can effectively reduce inputoutput data amount, improve the accuracy detected.

According to embodiments of the invention, above-mentioned each virus record comprises for a kind of computer virus, how record positions process, calculation process and/or logic control process, and many Detection Information of matching treatment, and how record carries out many removing information of virus sweep process, wherein said check processing comprises: for each viral record, utilize described many Detection Information, localization process is comprised to file to be detected, calculation process and/or logic control process, and the check processing of matching treatment, in described check processing, if each Detection Information in described many Detection Information is all successfully executed, then described file to be detected is judged to be containing virus document.Specifically, file to be detected is performed to the localization process in many Detection Information comprised in each virus record, calculation process and/or logic control process and matching treatment, if the processing execution failure in certain Detection Information, then detection of end, if and the process in every bar Detection Information all runs succeeded, then described file to be detected is judged to be containing virus document.

After step S103a, perform step S105: virus sweep process is carried out to the one or more files to be detected mated in recording with described multiple virus.According to embodiments of the invention, information can be removed according to many in the virus record of correspondence, carry out virus sweep process to described containing virus document.And this virus sweep process can comprise following one or more process: delete described containing virus document, namely directly delete for containing virus document; The described entry point address containing virus document of amendment, such as amendment is containing the entry point address of the portable execute file of virus; To the described specific region writing data blocks containing virus document, namely data block filling is carried out to specific region; Described containing copied chunks in virus document; Delete the described specific file section containing virus document, and the described form containing virus document is adjusted, such as, delete the file section formulated in the portable execute file containing virus, and the form of this file is adjusted accordingly; Delete the described data containing the specific size of virus document head and/or afterbody; The described size containing virus document is set.

The invention provides that a kind of described method can use in virtual machine for detecting the method with dump virus, can be used for Malware (virus) behavioural analysis, looking into/kill virus, the field such as shelling.According to embodiments of the invention, use XML to come description script language and viral record, be convenient to the viral record of management and retrieval magnanimity, can be binary virus base file by script compile simultaneously, guarantee high-level efficiency when virus being detected and removes.The present invention utilizes the script of similar x86 assembly instruction to describe viral record, to provide the flexible control ability of similar compilation and the high behavior level of abstraction.Each according to an embodiment of the invention process itself is relatively simple, but due to framework enough flexible, the viral record suitable with compilation complexity can be write out.Present invention greatly enhances dirigibility and the efficiency of traditional characteristic code killing technology, improve the applicability of condition code killing technology for polymorphic and metamorphic virus, virus family killing.The present invention adopts GUID as unique description of process, thus has very strong extendability, as long as defer to certain specification, can increase new process, and can't affect original detection and remove process and viral record.Most of process in the present invention do not relate to system input-output operation, and part process only relates to the input-output operation of minute quantity, so detect and remove viral speed quickly.

Corresponding with above-mentioned method 100, present invention also offers a kind of for detecting the device 200 with dump virus, see Fig. 2, this device 200 comprises:

Script edit and collector 201, for utilizing scripting language for detecting with the script of dump virus and be binary virus base file by described script compile, this script edit and collector 201 may be used for performing the step S101 in said method 100;

Detection module 203, for the check processing of detection computations machine virus, it comprises:

-locator module 203a, for based on the multiple viral record comprised in described virus base file, carry out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure file to be detected, this locator module 203a may be used for performing the step S103a in said method 100;

-computing and logic control submodule 203b, for the result of localization process is carried out calculation process and/or logic control process as variable, this computing and logic control submodule 203b may be used for performing the step S 103b in said method 100;

-matched sub-block 203c, for based on the multiple viral record comprised in described virus base file, matching treatment is carried out to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment, and this matched sub-block 203c may be used for performing the step S103c in said method 100; And

Remove module 205, for carrying out virus sweep process to the one or more files to be detected mated in recording with described multiple virus, this removing module 205 may be used for the step S105 in execution said method 100.

In an embodiment of the present invention, wherein said script uses expandable mark language XML to be described.

In an embodiment of the present invention, described portable execute file structure comprises the skew of the skew of portable execute file entrance, the skew of portable execute file head, the skew of portable execute file data directory, the skew of portable execute file additional data, the skew of portable execute file joint table and/or portable execute file joint.

In an embodiment of the present invention, described localization process comprises: call, jmp, jcc and/or loop instruction of resolving according to simulation CPU (central processing unit), positions process.

In an embodiment of the present invention, each virus record in described multiple virus record has respective file characteristic, described locator module 203a checks the file characteristic of described file to be detected, and based on the viral record that file characteristic and described file to be detected meet, file to be detected is carried out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure.

In an embodiment of the present invention, described matching treatment supports wild symbol and floating search, comprises one or more following process:

Utilize opcode, operand, the length of the instruction at the result place of described calculation process and/or logic control process, carry out matching treatment;

The file compiler information utilizing the entry instruction sequence by analyzing portable execute file to obtain, carries out matching treatment;

Utilize the attribute information of described file to be detected, resource information and/or version information, carry out matching treatment;

Utilize importing function information and/or the derivative function information of portable execute file, carry out matching treatment, described importing function information comprises the quantity and the title that import module and import function, and described derivative function information comprises the quantity and title that derive module and derivative function; And

Utilize the described position of file to be detected and the hashed value of length, carry out matching treatment.

In an embodiment of the present invention, described calculation process comprises and adds, subtracts, multiplication and division, logical and, logical OR, is shifted, compares process.

In an embodiment of the present invention, described logic control process comprises redirect process and returns process, and wherein said redirect process comprises have ready conditions redirect process and unconditional redirect process, return process comprise have ready conditions return process and unconditional return process.

In an embodiment of the present invention, each virus record comprises for a kind of computer virus, how record positions process, calculation process and/or logic control process, and many Detection Information of matching treatment, and how record carries out many removing information of virus sweep process, described detection module 203 is for each viral record, utilize described many Detection Information, localization process is comprised to file to be detected, calculation process and/or logic control process, and the check processing of matching treatment, in described check processing, if each Detection Information in described many Detection Information is all successfully executed, then described file to be detected is judged to be containing virus document.

In an embodiment of the present invention, described removing module 205 removes information according to many in the virus record of correspondence, carries out virus sweep process to described containing virus document.

In an embodiment of the present invention, described removing module 205 performs following one or more process:

Delete described containing virus document;

The described entry point address containing virus document of amendment;

To the described specific region writing data blocks containing virus document;

Described containing copied chunks in virus document;

Delete the described specific file section containing virus document, and the described form containing virus document is adjusted;

Delete the described data containing the specific size of virus document head and/or afterbody;

The described size containing virus document is set.

Because above-mentioned each device embodiment is corresponding with aforementioned approaches method embodiment, therefore no longer each device embodiment is described in detail.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the device in embodiment and they are arranged in one or more devices different from this embodiment.Some block combiner in embodiment can be become a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or module be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, equivalent or similar object alternative features replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in detail in the claims, the one of any of embodiment required for protection can use with arbitrary array mode.

Each device embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all modules in the device of the embodiment of the present invention.The present invention can also be embodied as part or all the device program (such as, computer program and computer program) for performing method as described herein.Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Claims (22)

1. one kind for detecting and the method for dump virus (100), comprising:

Utilize scripting language for detecting with the script of dump virus and be binary virus base file by described script compile;

For the check processing of detection computations machine virus, it comprises:

-based on the multiple viral record comprised in described virus base file, carry out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure to file to be detected;

-result of localization process is carried out calculation process and/or logic control process as variable;

-based on the multiple viral record comprised in described virus base file, carry out matching treatment to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment; And

Virus sweep process is carried out to the one or more files to be detected mated in recording with described multiple virus,

Wherein, each process described all has unique Globally Unique Identifier, for described localization process, calls corresponding Parameter analysis of electrochemical process change described localization process when compiling by its Globally Unique Identifier; Described localization process is separated with described matching treatment and performs.

2. the method for claim 1, wherein said script uses expandable mark language XML to be described.

3. the method for claim 1, wherein said portable execute file structure comprises the skew of the skew of portable execute file entrance, the skew of portable execute file head, the skew of portable execute file data directory, the skew of portable execute file additional data, the skew of portable execute file joint table and/or portable execute file joint.

4. the method for claim 1, wherein said localization process comprises: call, jmp, jcc and/or loop instruction of resolving according to simulation CPU (central processing unit), positions process.

5. the method for claim 1, each virus record in wherein said multiple virus record has respective file characteristic,

Described based on described virus base file in the multiple viral record that comprises, to file to be detected carry out based on document misregistration, memory mapping skew and/or portable execute file structure localization process step in, check the file characteristic of described file to be detected, and based on the viral record that file characteristic and described file to be detected meet, file to be detected is carried out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure.

6. the method for claim 1, wherein said matching treatment supports wild symbol and floating search, comprises one or more following process:

Utilize opcode, operand, the length of the instruction at the result place of described calculation process and/or logic control process, carry out matching treatment;

The file compiler information utilizing the entry instruction sequence by analyzing portable execute file to obtain, carries out matching treatment;

Utilize the attribute information of described file to be detected, resource information and/or version information, carry out matching treatment;

Utilize importing function information and/or the derivative function information of portable execute file, carry out matching treatment, described importing function information comprises the quantity and the title that import module and import function, and described derivative function information comprises the quantity and title that derive module and derivative function; And

Utilize the described position of file to be detected and the hashed value of length, carry out matching treatment.

7. the method for claim 1, wherein said calculation process comprise add, subtract, multiplication and division, logical and, logical OR, be shifted, compare in process one or more.

8. the method for claim 1, wherein said logic control process comprises redirect process and returns process, wherein said redirect process comprises have ready conditions redirect process and unconditional redirect process, return process comprise have ready conditions return process and unconditional return process.

9. the method as described in any one in claim 1-8, wherein each virus record comprise for a kind of computer virus, how record to position many Detection Information of process, calculation process and/or logic control process and matching treatment and record many removing information of virus sweep process of how carrying out

Described check processing comprises: for each viral record, utilize described many Detection Information, file to be detected is comprised to the check processing of localization process, calculation process and/or logic control process and matching treatment, in described check processing, if each Detection Information in described many Detection Information is all successfully executed, then described file to be detected is judged to be containing virus document.

10. method as claimed in claim 9, wherein comprises the step that file to be detected carries out virus sweep process: remove information according to many in the virus record of correspondence, carry out virus sweep process to described containing virus document.

11. methods as claimed in claim 10, wherein saidly comprise following one or more process to described step of carrying out virus sweep process containing virus document:

Delete described containing virus document;

The described entry point address containing virus document of amendment;

To the described specific region writing data blocks containing virus document;

Described containing copied chunks in virus document;

Delete the described specific file section containing virus document, and the described form containing virus document is adjusted;

Delete the described data containing the specific size of virus document head and/or afterbody;

The described size containing virus document is set.

12. 1 kinds, for detecting and the device of dump virus (200), comprising:

Script edit and collector (201), for utilizing scripting language for detecting with the script of dump virus and be binary virus base file by described script compile;

Detection module (203), for the check processing of detection computations machine virus, it comprises:

-locator module (203a), for based on the multiple viral record comprised in described virus base file, carries out the localization process based on document misregistration, memory mapping skew and/or portable execute file structure to file to be detected;

-computing and logic control submodule (203b), for carrying out calculation process and/or logic control process using the result of localization process as variable;

-matched sub-block (203c), for based on the multiple viral record comprised in described virus base file, carry out matching treatment to the result of calculation process and/or logic control process, wherein said matching treatment comprises scale-of-two matching treatment and/or opcode matching treatment; And

Remove module (205), for carrying out virus sweep process to the one or more files to be detected mated in recording with described multiple virus,

Wherein, each process described all has unique Globally Unique Identifier, for described localization process, calls corresponding Parameter analysis of electrochemical process change described localization process when compiling by its Globally Unique Identifier; The localization process of described locator module is separated with the matching treatment of described matched sub-block and is performed.

13. devices as claimed in claim 12, wherein said script uses expandable mark language XML to be described.

14. devices as claimed in claim 12, wherein said portable execute file structure comprises the skew of the skew of portable execute file entrance, the skew of portable execute file head, the skew of portable execute file data directory, the skew of portable execute file additional data, the skew of portable execute file joint table and/or portable execute file joint.

15. devices as claimed in claim 12, wherein said localization process comprises: call, jmp, jcc and/or loop instruction of resolving according to simulation CPU (central processing unit), positions process.

16. devices as claimed in claim 12, each virus record in wherein said multiple virus record has respective file characteristic,

Described locator module (203a) checks the file characteristic of described file to be detected, and based on the viral record that file characteristic and described file to be detected meet, file to be detected is carried out based on document misregistration, memory mapping skew and/or the localization process of portable execute file structure.

17. devices as claimed in claim 12, wherein said matching treatment supports wild symbol and floating search, comprises one or more following process:

Utilize opcode, operand, the length of the instruction at the result place of described calculation process and/or logic control process, carry out matching treatment;

The file compiler information utilizing the entry instruction sequence by analyzing portable execute file to obtain, carries out matching treatment;

Utilize the attribute information of described file to be detected, resource information and/or version information, carry out matching treatment;

Utilize importing function information and/or the derivative function information of portable execute file, carry out matching treatment, described importing function information comprises the quantity and the title that import module and import function, and described derivative function information comprises the quantity and title that derive module and derivative function; And

Utilize the described position of file to be detected and the hashed value of length, carry out matching treatment.

18. devices as claimed in claim 12, wherein said calculation process comprise add, subtract, multiplication and division, logical and, logical OR, be shifted, compare in process one or more.

19. devices as claimed in claim 12, wherein said logic control process comprises redirect process and returns process, wherein said redirect process comprises have ready conditions redirect process and unconditional redirect process, return process comprise have ready conditions return process and unconditional return process.

20. devices as described in any one in claim 12-19, wherein each virus record comprise for a kind of computer virus, how record to position many Detection Information of process, calculation process and/or logic control process and matching treatment and record many removing information of virus sweep process of how carrying out

Described detection module (203) is for each viral record, utilize described many Detection Information, file to be detected is comprised to the check processing of localization process, calculation process and/or logic control process and matching treatment, in described check processing, if each Detection Information in described many Detection Information is all successfully executed, then described file to be detected is judged to be containing virus document.

21. devices as claimed in claim 20, wherein said removing module (205) removes information according to many in the virus record of correspondence, carries out virus sweep process to described containing virus document.

22. devices as claimed in claim 21, wherein said removing module (205) performs following one or more process:

Delete described containing virus document;

The described entry point address containing virus document of amendment;

To the described specific region writing data blocks containing virus document;

Described containing copied chunks in virus document;

Delete the described specific file section containing virus document, and the described form containing virus document is adjusted;

Delete the described data containing the specific size of virus document head and/or afterbody;

The described size containing virus document is set.