CN107392023A - It is a kind of based on evade in penetration testing antivirus software upload PE files method - Google Patents
It is a kind of based on evade in penetration testing antivirus software upload PE files method Download PDFInfo
- Publication number
- CN107392023A CN107392023A CN201710630165.0A CN201710630165A CN107392023A CN 107392023 A CN107392023 A CN 107392023A CN 201710630165 A CN201710630165 A CN 201710630165A CN 107392023 A CN107392023 A CN 107392023A
- Authority
- CN
- China
- Prior art keywords
- file
- files
- block
- antivirus software
- penetration testing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
It is a kind of based on evade in penetration testing antivirus software upload PE files method, comprise the following steps:A) determine the memory size of current PE file and increase the memory size of file after capacity;B) a block gauge outfit of least significant end is determined;C) a new block gauge outfit is being added, the length scale of the block gauge outfit corresponding blocks and the specific object of the block is set;D) byte is added in the end of file of the block;E) file is preserved;F) size of file is verified;G) PE files are run, whether the detection load time changes.Compared with prior art, the present invention based on evade in penetration testing antivirus software upload PE files method, using at present in antivirus software cloud killing mechanism, when carrying out killing to big file, it is typically only capable to extract characteristic value, the foundation that transmitting file is analyzed and processed can not be gone up, by increasing PE document memory sizes, evade the method that antivirus software uploads PE files, the unsafe leak of data is also compensate for while improving penetration testing operating efficiency.
Description
Technical field
It is more particularly to a kind of to be based on evading antivirus software upload in penetration testing the present invention relates to technical field of network security
The method of PE files.
Background technology
Protection capacity of safety protection software uses cloud killing mechanism at present, cloud killing mechanism refer to when protection capacity of safety protection software detect it is suspicious
During file, checked first by local epidemiological features storehouse and local normal file storehouse (white list storehouse), if inspection result is sentenced
Break this file neither existing virus characteristic and be not local normal file, then the feature of this document can be submitted into high in the clouds
Database auditing.If it is virus to check this document, the result of cloud identification is returned.If clouds storehouse inspection finds that this is one complete
New file, the apocrypha never occurred, then this apocrypha can be reported.
Penetration testing is the attack method by simulating malicious hackers, is commented to assess one kind of computer network system safety
Estimate method.This process includes the active analysis to any weakness of system, technological deficiency or leak, and this analysis is from one
Attacker position that may be present is carried out, and is had ready conditions from this position and actively utilized security breaches.In penetration testing
In, in order to accelerate system security assessment, some testing tools are generally developed, complete various detections, scanning and sniff function.Due to
These operating process have some similar places to malicious attack process, are easy to trigger antivirus software cloud killing mechanism, cloud killing
After mechanism triggering, antivirus software uploads testing tool, issues security strategy, prevents instrument from running, not only causes testing tool to know
Know property right to be lost in, and influence penetration testing work progress.
PE files are a kind of file formats for executable file, file destination and dynamic link library, are mainly used in
In the Windows operating system of 32 and 64." transplantable " refers to the versatility of this document form, available for many kinds not
In same operating system and architecture.When PE file formats encapsulate Windows operating systems loading executable program code
Some necessary information.These information include dynamic link library, API is imported and derived table, resource management data and thread office
Portion's data storage etc..
In penetration testing, the penetration testing instrument of exploitation be typically PE (Portable Executable, it is transplantable can
Perform file), at present, penetration testing operating efficiency is relatively low, and penetration testing instrument PE is easy to be uploaded, analyzes or killing etc.,
There is great leak in data safety.
The content of the invention
It is a kind of based on the method for evading antivirus software upload PE files in penetration testing present invention aims at providing, with solution
Certainly penetration testing operating efficiency is relatively low in the prior art, and penetration testing instrument PE is easy to be uploaded, analyzes or killing etc., in number
According in safety, there is the technical bug of great leak.
The technical proposal of the invention is realized in this way:
It is a kind of based on evade in penetration testing antivirus software upload PE files method, comprise the following steps:
A) NumberOfSections fields are found in PE file headers, 1 is added on original value;
B) determine current PE file size M and increase file size N after capacity;
C) the block epitope for searching PE files is put, and determines a block gauge outfit of least significant end;
D) a new block gauge outfit is added in the block gauge outfit rear end of least significant end, the length scale for setting the block gauge outfit corresponding blocks is
L, sets the offset of new block, and the offset of block sets the specific object of the block with S benchmark;
E) byte for being L in the end of file addition length scale of the block;
F) file is preserved;
G) checking addition L byte after file size, be confirmed whether with set document memory size N it is consistent, if differing
Cause, then repeat step a)~e), if unanimously, carrying out next step;
H) PE files are run, whether the detection load time changes.
Preferably, in the step d), the specific object for setting the block is read only attribute.
Preferably, in the step e), partial bytes are random number in the byte of end of file addition.
Preferably, it is random number in the byte of end of file addition in the step e).
Compared with prior art, the present invention has following beneficial effect:
The present invention based on evade in penetration testing antivirus software upload PE files method, using at present in antivirus software
Cloud killing mechanism, when carrying out killing to big file (more than 100,000,000), it is typically only capable to extract characteristic value, transmitting file progress can not be gone up
The foundation of analyzing and processing, by increasing PE document memory sizes, evade the method that antivirus software uploads PE files, improve infiltration and survey
Try also to compensate for the unsafe leak of data while operating efficiency.
Brief description of the drawings
Fig. 1 is the present invention based on the method flow diagram for evading antivirus software upload PE files in penetration testing;
Fig. 2 is the structure chart of PE files in the prior art;
Fig. 3 is the structure chart of PE files after capacity of the present invention increase;
Fig. 4 is application attribute figure of the embodiment of the present invention;
Fig. 5 is putty application program configuration interface figures of the embodiment of the present invention;
Fig. 6 is the Jie Biaotu of PE files of the embodiment of the present invention;
Fig. 7 is the Table Header information figure of PE files of the embodiment of the present invention;
Fig. 8 is that the block's attribute of PE files of the embodiment of the present invention sets figure;
Fig. 9 is that Hexeditor of embodiment of the present invention bytes insert configuration interface figure;
Figure 10 is the Table Header information table figure of PE files after modification of the embodiment of the present invention;
Figure 11 is the amended PE file attributes figure of the embodiment of the present invention;
Figure 12 is putty application program configuration interface figures after modification of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the present invention is clearly and completely described.
It is as shown in figure 1, a kind of based on the method for evading antivirus software upload PE files in penetration testing, including following step
Suddenly:
A) NumberOfSections fields are found in PE file headers, 1 is added on original value;
B) determine the memory size M of current PE file and increase the memory size N of file after capacity;
C) the block epitope for searching PE files is put, and determines a block gauge outfit of least significant end;
D) a new block gauge outfit is added in the block gauge outfit rear end of least significant end, the length scale for setting the block gauge outfit corresponding blocks is
L, the offset of new block is set, the offset of block with S benchmark, wherein, S can use 1000h, and set the specific object of the block;
E) byte for being L in the end of file addition length scale of the block;
F) file is preserved;
G) checking addition L byte after file size, be confirmed whether with set document memory size N it is consistent, if differing
Cause, then repeat step a)~e), if unanimously, carrying out next step;
H) PE files are run, whether the detection load time changes.
In the step d), the specific object for setting the block is read only attribute, it is ensured that file is not in the case of routine
It is tampered and is uploaded with replicating.
In the step e), partial bytes are random number in the byte of end of file addition.
It is random number in the byte of end of file addition in the step e).
Random-number portion, in order to prevent attacker from carrying out signature analysis to file, so as to analyze essential information and add
The information added.
Complete PE files by DOS heads, PE file headers, block table, block and Debugging message, form.PE files use one
Individual flat address space, all codes and data are all merged together, and form a very big structure.The content of file is divided
Different blocks is segmented into,
Set block whether comprising code, whether read-only or read/writable etc..On DOS heads, started with e_magic, it
Value be fixed " 0x5a4d ", i.e., (MZ) start.What is most started is that part is DOS radicals, and DOS radicals are made up of two parts:
DOS MZ file marks and DOS stub (DOS counterfoils program), PE files are loaded into not as single internal memory mapped file
Internal memory is critically important.Windows loaders (also known as PE loaders) traversal PE files simultaneously determine which of file is partly reflected
Penetrate, this mapping mode is that the higher deviation post of file is mapped in higher memory address.Once when disk file quilt
In graftabl, it is consistent that the data structure layout on disk is laid out with the data structure in internal memory.PE structures such as Fig. 2 institutes
Show.
Embodiment
As shown in Figure 4, Figure 5, PE file sizes increase flow:
(1) by taking the operation of putty (pe forms) application program as an example, it is 484k bytes to click on attribute locating file size, point
Hit file, normal operation;
(2) use lordpe software editing PE files, search block gauge outfit, and find block table last, addition is entitled
Idata saves table, as shown in Figure 6, Figure 7, sets block size 256M (0x10000000), changes NumberOfSections, increases from 4
It is added to 5;
(3) as shown in figure 8, it is read only attribute to set block's attribute, and preserve;
(4) as shown in Figure 9, Figure 10, putty files are opened using Hexeditor, 512M bytes is added in EOF
Random number, pe file header SizeOfCode fields increase 0x10000000, preserves file;
(5) as shown in figure 11, putty file attributes, file size increase 512M are checked;
(6) as shown in figure 12, putty softwares are run, function is normal, and the load time does not have significant change.
PE structures are as shown in Figure 3 after capacity increase.
The principle of the comprehensive present invention is understood, of the invention based on the side for evading antivirus software upload PE files in penetration testing
Method, using at present in antivirus software cloud killing mechanism, when carrying out killing to big file (more than 100,000,000), it is special to be typically only capable to extraction
Value indicative, the foundation that transmitting file is analyzed and processed can not be gone up, by increasing PE document memory sizes, evade antivirus software upload
The method of PE files, the unsafe leak of data is also compensate for while improving penetration testing operating efficiency.
Claims (4)
- It is 1. a kind of based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that to comprise the following steps:A) NumberOfSections fields are found in PE file headers, 1 is added on original value;B) determine current PE file size M and increase file size N after capacity;C) the block epitope for searching PE files is put, and determines a block gauge outfit of least significant end;D) a new block gauge outfit is added in the block gauge outfit rear end of least significant end, the length scale for setting the block gauge outfit corresponding blocks is L, if The offset of new block is put, the offset of block sets the specific object of the block with S benchmark;E) byte for being L in the end of file addition length scale of the block;F) file is preserved;G) checking addition L byte after file size, be confirmed whether with set document memory size N it is consistent, if inconsistent, Repeat step a)~e), if unanimously, carrying out next step;H) PE files are run, whether the detection load time changes.
- 2. as claimed in claim 1 based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that In the step d), the specific object for setting the block is read only attribute.
- 3. as claimed in claim 2 based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that In the step e), partial bytes are random number in the byte of end of file addition.
- 4. as claimed in claim 2 based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that It is random number in the byte of end of file addition in the step e).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710630165.0A CN107392023A (en) | 2017-07-28 | 2017-07-28 | It is a kind of based on evade in penetration testing antivirus software upload PE files method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710630165.0A CN107392023A (en) | 2017-07-28 | 2017-07-28 | It is a kind of based on evade in penetration testing antivirus software upload PE files method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107392023A true CN107392023A (en) | 2017-11-24 |
Family
ID=60342104
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710630165.0A Pending CN107392023A (en) | 2017-07-28 | 2017-07-28 | It is a kind of based on evade in penetration testing antivirus software upload PE files method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107392023A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103902896A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Self-expansion virus interception method and system |
US20160156656A1 (en) * | 2012-11-17 | 2016-06-02 | Nathaniel Gordon Boggs | Methods, Systems and Media for Evaluating Layered Computer Security Products |
-
2017
- 2017-07-28 CN CN201710630165.0A patent/CN107392023A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160156656A1 (en) * | 2012-11-17 | 2016-06-02 | Nathaniel Gordon Boggs | Methods, Systems and Media for Evaluating Layered Computer Security Products |
CN103902896A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Self-expansion virus interception method and system |
Non-Patent Citations (3)
Title |
---|
CENTENARY: "《深入剖析PE文件(续1)—扩展知识》", 《学步园》 * |
有价值炮灰: "《和杀毒软件愉快玩耍的日子》", 《博客园》 * |
朝闻道: "《向PE文件中添加一个Section》", 《博客园》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
US8955124B2 (en) | Apparatus, system and method for detecting malicious code | |
US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
RU2634178C1 (en) | Method of detecting harmful composite files | |
RU2624552C2 (en) | Method of malicious files detecting, executed by means of the stack-based virtual machine | |
CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
JP2009129451A (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
US10073973B2 (en) | Process testing apparatus, computer-readable medium, and process testing method | |
US10579798B2 (en) | Electronic device and method for detecting malicious file | |
Li et al. | FEPDF: a robust feature extractor for malicious PDF detection | |
CN111967044B (en) | Tracking method and system of leaked privacy data suitable for cloud environment | |
CN106355092A (en) | Systems and methods for optimizing antivirus determinations | |
US10701087B2 (en) | Analysis apparatus, analysis method, and analysis program | |
Wang et al. | {MetaSymploit}:{Day-One} Defense against Script-based Attacks with {Security-Enhanced} Symbolic Analysis | |
CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
CN114143024B (en) | Black box malicious software detection countermeasure sample generation method and system based on generation countermeasure network, electronic device and storage medium | |
US11921850B2 (en) | Iterative memory analysis for malware detection | |
US11836252B2 (en) | Machine learning through iterative memory analysis for malware detection | |
CN109663362A (en) | The plug-in detection method of game, storage medium | |
CN116668202A (en) | Method and system for detecting memory horses in container environment | |
CN107392023A (en) | It is a kind of based on evade in penetration testing antivirus software upload PE files method | |
CN108573148B (en) | Confusion encryption script identification method based on lexical analysis | |
CN110674501B (en) | Malicious drive detection method, device, equipment and medium | |
Rodríguez et al. | A tool to compute approximation matching between windows processes | |
Srivastava et al. | Detecting code injection by cross-validating stack and VAD information in windows physical memory |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171124 |
|
RJ01 | Rejection of invention patent application after publication |