基于特征码定位的文件隐藏分析及实践

查杀拦截软件检测隐藏文件的原理之一是特征码,也就是将程序的片段和一些预先采样的数据片段进行比较来判断一个文件是不是含有恶意代码。如果能在自已的软件中找出特征码的所在,并进行适当的变形,便能一定程度上提高代码的隐蔽性。常用的寻找特征码的方法,是逐字节替换法,也即逐字节(或逐段)将代码替换为0000(或者别的),如果进行替换后查杀拦截等软件没有报警,说明特征码已被替换掉,即特征码在该被替换的位置。为了提高文件定位的效率,我们对文件特征码的定位技术作了分析研究,它利用了上述原理,将程序中的代码替换为0000,最后根据哪些生成文件被删除而哪些没有来定位特征码的位置。

Based on Characteristic Code Localization Document Hideaway Analysisand Practice

Installing intercept one of the principles of software testing is Tezhengma hidden documents, namely the procedures and some segments of the pre-sampling data showing comparisons to judge a document was not contain malicious code. If we can identify in their own software Tezhengma host and appropriate deformation, the code can be improved to some extent concealed. Tezhengma find common method is a case-by-byte replacement law, namely a case-by-byte (or paragraph by paragraph) code for the replacement of 0000 (or other), if such replacement after installing software without alerting interception on Tezhengma has been replaced, the replaced Tezhengma location. To improve the efficiency of document positioning, we analysed documents Tezhengma positioning technology research, which made use of this principle, the code will replace the procedures for 0000, under which the final document was generated and what not to delete positioning Tezhengma position.