CN107392023A - It is a kind of based on evade in penetration testing antivirus software upload PE files method - Google Patents

It is a kind of based on evade in penetration testing antivirus software upload PE files method Download PDF

Info

Publication number
CN107392023A
CN107392023A CN201710630165.0A CN201710630165A CN107392023A CN 107392023 A CN107392023 A CN 107392023A CN 201710630165 A CN201710630165 A CN 201710630165A CN 107392023 A CN107392023 A CN 107392023A
Authority
CN
China
Prior art keywords
file
files
block
antivirus software
penetration testing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710630165.0A
Other languages
Chinese (zh)
Inventor
孙勇
赵义博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Kyushu Quantum Information Technology Ltd By Share Ltd
Original Assignee
Zhejiang Kyushu Quantum Information Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Kyushu Quantum Information Technology Ltd By Share Ltd filed Critical Zhejiang Kyushu Quantum Information Technology Ltd By Share Ltd
Priority to CN201710630165.0A priority Critical patent/CN107392023A/en
Publication of CN107392023A publication Critical patent/CN107392023A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

It is a kind of based on evade in penetration testing antivirus software upload PE files method, comprise the following steps:A) determine the memory size of current PE file and increase the memory size of file after capacity;B) a block gauge outfit of least significant end is determined;C) a new block gauge outfit is being added, the length scale of the block gauge outfit corresponding blocks and the specific object of the block is set;D) byte is added in the end of file of the block;E) file is preserved;F) size of file is verified;G) PE files are run, whether the detection load time changes.Compared with prior art, the present invention based on evade in penetration testing antivirus software upload PE files method, using at present in antivirus software cloud killing mechanism, when carrying out killing to big file, it is typically only capable to extract characteristic value, the foundation that transmitting file is analyzed and processed can not be gone up, by increasing PE document memory sizes, evade the method that antivirus software uploads PE files, the unsafe leak of data is also compensate for while improving penetration testing operating efficiency.

Description

It is a kind of based on evade in penetration testing antivirus software upload PE files method
Technical field
It is more particularly to a kind of to be based on evading antivirus software upload in penetration testing the present invention relates to technical field of network security The method of PE files.
Background technology
Protection capacity of safety protection software uses cloud killing mechanism at present, cloud killing mechanism refer to when protection capacity of safety protection software detect it is suspicious During file, checked first by local epidemiological features storehouse and local normal file storehouse (white list storehouse), if inspection result is sentenced Break this file neither existing virus characteristic and be not local normal file, then the feature of this document can be submitted into high in the clouds Database auditing.If it is virus to check this document, the result of cloud identification is returned.If clouds storehouse inspection finds that this is one complete New file, the apocrypha never occurred, then this apocrypha can be reported.
Penetration testing is the attack method by simulating malicious hackers, is commented to assess one kind of computer network system safety Estimate method.This process includes the active analysis to any weakness of system, technological deficiency or leak, and this analysis is from one Attacker position that may be present is carried out, and is had ready conditions from this position and actively utilized security breaches.In penetration testing In, in order to accelerate system security assessment, some testing tools are generally developed, complete various detections, scanning and sniff function.Due to These operating process have some similar places to malicious attack process, are easy to trigger antivirus software cloud killing mechanism, cloud killing After mechanism triggering, antivirus software uploads testing tool, issues security strategy, prevents instrument from running, not only causes testing tool to know Know property right to be lost in, and influence penetration testing work progress.
PE files are a kind of file formats for executable file, file destination and dynamic link library, are mainly used in In the Windows operating system of 32 and 64." transplantable " refers to the versatility of this document form, available for many kinds not In same operating system and architecture.When PE file formats encapsulate Windows operating systems loading executable program code Some necessary information.These information include dynamic link library, API is imported and derived table, resource management data and thread office Portion's data storage etc..
In penetration testing, the penetration testing instrument of exploitation be typically PE (Portable Executable, it is transplantable can Perform file), at present, penetration testing operating efficiency is relatively low, and penetration testing instrument PE is easy to be uploaded, analyzes or killing etc., There is great leak in data safety.
The content of the invention
It is a kind of based on the method for evading antivirus software upload PE files in penetration testing present invention aims at providing, with solution Certainly penetration testing operating efficiency is relatively low in the prior art, and penetration testing instrument PE is easy to be uploaded, analyzes or killing etc., in number According in safety, there is the technical bug of great leak.
The technical proposal of the invention is realized in this way:
It is a kind of based on evade in penetration testing antivirus software upload PE files method, comprise the following steps:
A) NumberOfSections fields are found in PE file headers, 1 is added on original value;
B) determine current PE file size M and increase file size N after capacity;
C) the block epitope for searching PE files is put, and determines a block gauge outfit of least significant end;
D) a new block gauge outfit is added in the block gauge outfit rear end of least significant end, the length scale for setting the block gauge outfit corresponding blocks is L, sets the offset of new block, and the offset of block sets the specific object of the block with S benchmark;
E) byte for being L in the end of file addition length scale of the block;
F) file is preserved;
G) checking addition L byte after file size, be confirmed whether with set document memory size N it is consistent, if differing Cause, then repeat step a)~e), if unanimously, carrying out next step;
H) PE files are run, whether the detection load time changes.
Preferably, in the step d), the specific object for setting the block is read only attribute.
Preferably, in the step e), partial bytes are random number in the byte of end of file addition.
Preferably, it is random number in the byte of end of file addition in the step e).
Compared with prior art, the present invention has following beneficial effect:
The present invention based on evade in penetration testing antivirus software upload PE files method, using at present in antivirus software Cloud killing mechanism, when carrying out killing to big file (more than 100,000,000), it is typically only capable to extract characteristic value, transmitting file progress can not be gone up The foundation of analyzing and processing, by increasing PE document memory sizes, evade the method that antivirus software uploads PE files, improve infiltration and survey Try also to compensate for the unsafe leak of data while operating efficiency.
Brief description of the drawings
Fig. 1 is the present invention based on the method flow diagram for evading antivirus software upload PE files in penetration testing;
Fig. 2 is the structure chart of PE files in the prior art;
Fig. 3 is the structure chart of PE files after capacity of the present invention increase;
Fig. 4 is application attribute figure of the embodiment of the present invention;
Fig. 5 is putty application program configuration interface figures of the embodiment of the present invention;
Fig. 6 is the Jie Biaotu of PE files of the embodiment of the present invention;
Fig. 7 is the Table Header information figure of PE files of the embodiment of the present invention;
Fig. 8 is that the block's attribute of PE files of the embodiment of the present invention sets figure;
Fig. 9 is that Hexeditor of embodiment of the present invention bytes insert configuration interface figure;
Figure 10 is the Table Header information table figure of PE files after modification of the embodiment of the present invention;
Figure 11 is the amended PE file attributes figure of the embodiment of the present invention;
Figure 12 is putty application program configuration interface figures after modification of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the present invention is clearly and completely described.
It is as shown in figure 1, a kind of based on the method for evading antivirus software upload PE files in penetration testing, including following step Suddenly:
A) NumberOfSections fields are found in PE file headers, 1 is added on original value;
B) determine the memory size M of current PE file and increase the memory size N of file after capacity;
C) the block epitope for searching PE files is put, and determines a block gauge outfit of least significant end;
D) a new block gauge outfit is added in the block gauge outfit rear end of least significant end, the length scale for setting the block gauge outfit corresponding blocks is L, the offset of new block is set, the offset of block with S benchmark, wherein, S can use 1000h, and set the specific object of the block;
E) byte for being L in the end of file addition length scale of the block;
F) file is preserved;
G) checking addition L byte after file size, be confirmed whether with set document memory size N it is consistent, if differing Cause, then repeat step a)~e), if unanimously, carrying out next step;
H) PE files are run, whether the detection load time changes.
In the step d), the specific object for setting the block is read only attribute, it is ensured that file is not in the case of routine It is tampered and is uploaded with replicating.
In the step e), partial bytes are random number in the byte of end of file addition.
It is random number in the byte of end of file addition in the step e).
Random-number portion, in order to prevent attacker from carrying out signature analysis to file, so as to analyze essential information and add The information added.
Complete PE files by DOS heads, PE file headers, block table, block and Debugging message, form.PE files use one Individual flat address space, all codes and data are all merged together, and form a very big structure.The content of file is divided Different blocks is segmented into,
Set block whether comprising code, whether read-only or read/writable etc..On DOS heads, started with e_magic, it Value be fixed " 0x5a4d ", i.e., (MZ) start.What is most started is that part is DOS radicals, and DOS radicals are made up of two parts: DOS MZ file marks and DOS stub (DOS counterfoils program), PE files are loaded into not as single internal memory mapped file Internal memory is critically important.Windows loaders (also known as PE loaders) traversal PE files simultaneously determine which of file is partly reflected Penetrate, this mapping mode is that the higher deviation post of file is mapped in higher memory address.Once when disk file quilt In graftabl, it is consistent that the data structure layout on disk is laid out with the data structure in internal memory.PE structures such as Fig. 2 institutes Show.
Embodiment
As shown in Figure 4, Figure 5, PE file sizes increase flow:
(1) by taking the operation of putty (pe forms) application program as an example, it is 484k bytes to click on attribute locating file size, point Hit file, normal operation;
(2) use lordpe software editing PE files, search block gauge outfit, and find block table last, addition is entitled Idata saves table, as shown in Figure 6, Figure 7, sets block size 256M (0x10000000), changes NumberOfSections, increases from 4 It is added to 5;
(3) as shown in figure 8, it is read only attribute to set block's attribute, and preserve;
(4) as shown in Figure 9, Figure 10, putty files are opened using Hexeditor, 512M bytes is added in EOF Random number, pe file header SizeOfCode fields increase 0x10000000, preserves file;
(5) as shown in figure 11, putty file attributes, file size increase 512M are checked;
(6) as shown in figure 12, putty softwares are run, function is normal, and the load time does not have significant change.
PE structures are as shown in Figure 3 after capacity increase.
The principle of the comprehensive present invention is understood, of the invention based on the side for evading antivirus software upload PE files in penetration testing Method, using at present in antivirus software cloud killing mechanism, when carrying out killing to big file (more than 100,000,000), it is special to be typically only capable to extraction Value indicative, the foundation that transmitting file is analyzed and processed can not be gone up, by increasing PE document memory sizes, evade antivirus software upload The method of PE files, the unsafe leak of data is also compensate for while improving penetration testing operating efficiency.

Claims (4)

  1. It is 1. a kind of based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that to comprise the following steps:
    A) NumberOfSections fields are found in PE file headers, 1 is added on original value;
    B) determine current PE file size M and increase file size N after capacity;
    C) the block epitope for searching PE files is put, and determines a block gauge outfit of least significant end;
    D) a new block gauge outfit is added in the block gauge outfit rear end of least significant end, the length scale for setting the block gauge outfit corresponding blocks is L, if The offset of new block is put, the offset of block sets the specific object of the block with S benchmark;
    E) byte for being L in the end of file addition length scale of the block;
    F) file is preserved;
    G) checking addition L byte after file size, be confirmed whether with set document memory size N it is consistent, if inconsistent, Repeat step a)~e), if unanimously, carrying out next step;
    H) PE files are run, whether the detection load time changes.
  2. 2. as claimed in claim 1 based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that In the step d), the specific object for setting the block is read only attribute.
  3. 3. as claimed in claim 2 based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that In the step e), partial bytes are random number in the byte of end of file addition.
  4. 4. as claimed in claim 2 based on the method for evading antivirus software upload PE files in penetration testing, it is characterised in that It is random number in the byte of end of file addition in the step e).
CN201710630165.0A 2017-07-28 2017-07-28 It is a kind of based on evade in penetration testing antivirus software upload PE files method Pending CN107392023A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710630165.0A CN107392023A (en) 2017-07-28 2017-07-28 It is a kind of based on evade in penetration testing antivirus software upload PE files method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710630165.0A CN107392023A (en) 2017-07-28 2017-07-28 It is a kind of based on evade in penetration testing antivirus software upload PE files method

Publications (1)

Publication Number Publication Date
CN107392023A true CN107392023A (en) 2017-11-24

Family

ID=60342104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710630165.0A Pending CN107392023A (en) 2017-07-28 2017-07-28 It is a kind of based on evade in penetration testing antivirus software upload PE files method

Country Status (1)

Country Link
CN (1) CN107392023A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103902896A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Self-expansion virus interception method and system
US20160156656A1 (en) * 2012-11-17 2016-06-02 Nathaniel Gordon Boggs Methods, Systems and Media for Evaluating Layered Computer Security Products

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160156656A1 (en) * 2012-11-17 2016-06-02 Nathaniel Gordon Boggs Methods, Systems and Media for Evaluating Layered Computer Security Products
CN103902896A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Self-expansion virus interception method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CENTENARY: "《深入剖析PE文件(续1)—扩展知识》", 《学步园》 *
有价值炮灰: "《和杀毒软件愉快玩耍的日子》", 《博客园》 *
朝闻道: "《向PE文件中添加一个Section》", 《博客园》 *

Similar Documents

Publication Publication Date Title
Rathnayaka et al. An efficient approach for advanced malware analysis using memory forensic technique
US8955124B2 (en) Apparatus, system and method for detecting malicious code
US9015814B1 (en) System and methods for detecting harmful files of different formats
RU2634178C1 (en) Method of detecting harmful composite files
RU2624552C2 (en) Method of malicious files detecting, executed by means of the stack-based virtual machine
CN103279710B (en) Method and system for detecting malicious codes of Internet information system
JP2009129451A (en) Apparatus and method for detecting dynamic link library inserted by malicious code
US10073973B2 (en) Process testing apparatus, computer-readable medium, and process testing method
US10579798B2 (en) Electronic device and method for detecting malicious file
Li et al. FEPDF: a robust feature extractor for malicious PDF detection
CN111967044B (en) Tracking method and system of leaked privacy data suitable for cloud environment
CN106355092A (en) Systems and methods for optimizing antivirus determinations
US10701087B2 (en) Analysis apparatus, analysis method, and analysis program
Wang et al. {MetaSymploit}:{Day-One} Defense against Script-based Attacks with {Security-Enhanced} Symbolic Analysis
CN113746781A (en) Network security detection method, device, equipment and readable storage medium
CN114143024B (en) Black box malicious software detection countermeasure sample generation method and system based on generation countermeasure network, electronic device and storage medium
US11921850B2 (en) Iterative memory analysis for malware detection
US11836252B2 (en) Machine learning through iterative memory analysis for malware detection
CN109663362A (en) The plug-in detection method of game, storage medium
CN116668202A (en) Method and system for detecting memory horses in container environment
CN107392023A (en) It is a kind of based on evade in penetration testing antivirus software upload PE files method
CN108573148B (en) Confusion encryption script identification method based on lexical analysis
CN110674501B (en) Malicious drive detection method, device, equipment and medium
Rodríguez et al. A tool to compute approximation matching between windows processes
Srivastava et al. Detecting code injection by cross-validating stack and VAD information in windows physical memory

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171124

RJ01 Rejection of invention patent application after publication