CN113032783B - Virus detection method and system based on non-code characteristics - Google Patents
Virus detection method and system based on non-code characteristics Download PDFInfo
- Publication number
- CN113032783B CN113032783B CN202110267174.4A CN202110267174A CN113032783B CN 113032783 B CN113032783 B CN 113032783B CN 202110267174 A CN202110267174 A CN 202110267174A CN 113032783 B CN113032783 B CN 113032783B
- Authority
- CN
- China
- Prior art keywords
- file
- files
- executable
- icon
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 138
- 108091029480 NONCODE Proteins 0.000 title claims abstract description 36
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 claims abstract description 21
- 239000000284 extract Substances 0.000 claims abstract description 7
- 238000004458 analytical method Methods 0.000 claims description 5
- 230000002155 anti-virotic effect Effects 0.000 description 11
- 238000003860 storage Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 230000001681 protective effect Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 208000025174 PANDAS Diseases 0.000 description 4
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 208000010378 Pulmonary Embolism Diseases 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a virus detection method and a virus detection system based on non-code characteristics, wherein the method comprises the following steps: s1, traversing all files in an operating system, and extracting non-code data of an executable file; s2, counting how many files with the same number are in the icon HASH of each executable file; s3, if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected with viruses; s4, traversing all executable files considered as viruses, extracting other PE files in the executable files, renaming the PE files to original file names, and deleting the virus files. The method does not need to dehulling the virus, directly extracts the feature codes from the data features of the executable file, avoids missing report or false report caused by virus code confusion or shelled protection, and improves the virus searching and killing speed.
Description
Technical Field
The invention relates to the fields of computer and communication and information security, in particular to a virus detection method based on non-code characteristics.
Background
The virus detection method used by most antivirus software at present is to take out the corresponding characteristics from the code blocks of the virus, in order to resist the virus software checking and killing, a large number of virus programs adopt protection technologies such as code confusion and shelling, and the like, the codes of the virus are encrypted or confused so as to avoid the virus checking and killing by the antivirus software, while the traditional antivirus technology needs to obtain a virus sample, then unshelling the sample, then extracting one or more sections of instruction sequences from the binary codes of the unshelling virus sample as the characteristics of the virus sample, a virus analysis engineer adds the extracted characteristic codes into a virus library, and a user of terminal antivirus software can check and kill the virus after upgrading the virus library.
The current traditional virus detection technology has the following defects:
1) For viruses which cannot be unshelling, the predefined feature codes cannot be detected, so that the viruses cannot be killed;
2) For viruses with a large number of variants, on the one hand the code characteristics change continuously and on the other hand there may be a hysteresis in the timing of capturing the virus sample, so that even for the same virus family only a small number of variants can be detected, whereas for a large number of virus samples which cannot be uncoated or are not captured, no detection is possible. The identification capability of the multi-state deformed and encrypted virus is low, and unknown viruses cannot be identified.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention aims to solve the technical problems that codes of unshelling virus samples are difficult to obtain in the prior art, namely, unshelling virus variants cannot be identified, and provides a method for directly extracting feature codes from data features of executable files without unshelling viruses, so that missing report or false report caused by virus code confusion or shelled protection is avoided, and meanwhile, the virus searching and killing speed is improved.
The invention provides a virus detection method based on non-code characteristics, which comprises the following steps:
s1, traversing all files in an operating system, and extracting non-code data of an executable file;
s2, counting how many files with the same number are in the icon HASH of each executable file;
s3, if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected with viruses;
s4, traversing all executable files considered as viruses, extracting other PE files in the executable files, renaming the PE files to original file names, and deleting the virus files.
Further, step S1 further includes:
s1a, traversing all files in an operating system;
s1b, if the traversed current file is an executable file, attempting to extract an icon of the file, and if the executable file has no icon resource, skipping the rest steps and traversing the next file;
s1c, if the traversed file is an executable file and contains icon resources, extracting data of the executable file.
Further, the executable file data includes four types of data:
A. HASH of the icon;
B. full path filename;
C. full file content HASH;
D. whether more than 2 PE heads are included.
Further, step S2 further includes:
s2a, after all files are traversed, obtaining N groups of file information records in a specified format; traversing the file information records, and counting how many files with the same number are in the icons HASH of each executable file;
s2, sorting according to the number of the same icons HASH from large to small after statistics is completed.
Further, in step S3, the proportion threshold of the number of files of a certain icon HASH to the total traversed executable files is set to 30%.
On the other hand, the invention also provides a virus detection system based on non-code characteristics, which comprises four modules, a detection module, a statistics module, a judgment module and a removal module, wherein:
the detection module is used for traversing all files in the operating system and extracting non-code data of the executable file;
the statistics module is used for counting how many files with the same number are in the icon HASH of each executable file;
the judging module judges that if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected by viruses;
and the clearing module traverses all executable files considered as viruses, extracts other PE files in the executable files, changes the names of the PE files into original file names, and deletes the virus files.
Further, the detection module traverses all files in the operating system;
if the traversed current file is an executable file, attempting to extract an icon of the file, and if the executable file has no icon resource, skipping the rest steps and traversing the next file;
if the traversed file is an executable file and contains icon resources, extracting the data of the executable file.
Further, the executable file data includes four types of data:
A. HASH of the icon;
B. full path filename;
C. full file content HASH;
D. whether more than 2 PE heads are included.
Further, after all the files are traversed, N groups of file information records in a specified format are obtained; traversing the file information records, and counting how many files with the same number are in the icons HASH of each executable file; and after the statistics are completed, sorting from large to small according to the number of the same icons HASH.
Further, the ratio threshold of the number of files of a certain icon HASH to the total traversed executable files is set to 30%.
The present invention differs from conventional protection techniques in that the conventional anti-virus technique extracts one or more sets of code fragments from the virus code as unique features of the virus, and the technique is implemented not from the code of the virus but from non-code data of the virus as features.
The scheme provides a detection method based on virus non-code characteristics, which has the following advantages: the virus sample can be detected without unshelling; the method has universality, and even if viruses are replaced by other code confusion means or protective shells, the viruses can still be checked and killed; the virus sample can be checked and killed without updating the virus library; unknown viruses can be detected and cleared.
Drawings
FIG. 1 shows a flow diagram of a non-code feature based virus detection method according to the present invention;
FIG. 2 shows a schematic diagram of a framework of a non-code feature based virus detection system according to the present invention;
fig. 3 shows a schematic diagram of file information format involved in a virus detection method and system based on non-code features according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The following describes specific embodiments of the present invention in detail with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the invention, are not intended to limit the invention.
According to the method and the system for detecting the virus based on the non-code features, panda-burning virus is taken as an example for explanation, the panda-burning virus is a file infection type virus, after a user host is infected by the virus, icons of all executable files in the host are changed into a panda-burning pattern, hundreds of varieties exist in the virus, each virus sample adopts different shelling technologies, a shell used by a considerable part of the virus sample is a non-known protective shell, and the unknown protective shell is difficult to be shelled for traditional antivirus software, so that codes of unshelling virus samples cannot be obtained, namely unshelling virus varieties cannot be identified, and if the antivirus software takes the codes of the shelled parts as the virus features, the legal software using the protective shell is possibly miskilled. Because the shell protection software or the code confusion software does not act on the data part of the executable file, the invention extracts the data characteristics of the executable file instead of the code, thus avoiding the missing report or false report caused by virus code confusion or shell protection, and improving the virus searching and killing speed because the virus is not required to be dehulled. Taking panda-burnt virus as an example, although the codes of the virus and its variants are changed in many ways, the icon of the virus is invariable as the data of the PE executable file, so that the icon data of the virus can be used as the feature code, and the general searching and killing of the virus can be realized, and even if the virus continuously changes the code part with the protective shell or modifies the code part marked by antivirus software as the feature, the searching and killing of the virus can still be realized by using the method.
Among them, the file type virus is one of computer viruses, mainly by infecting an executable file (.exe) in a computer. The file type virus modifies the source file of the computer to become a new file with the virus. Once the computer runs the file, it is infected, thus achieving the purpose of transmission.
The feature code scanning refers to a method for scanning and judging unknown samples by adopting virus features extracted in advance. The extraction of features is a binary or other feature extracted from a sample of viruses after the virus is identified by manual or automatic analysis, which features are unique to the virus and are distinct from other viruses or normal files. When checking virus, the antivirus software scans the unknown file by using the features in the virus library in sequence, if a certain feature is successfully matched, the file is represented by the feature, and if all the features are not matched, the file is considered to be not virus and is a normal file.
The shell is to implant a code in the binary program, obtain the control right of the program preferentially when running, and then give the control right back to the original code, so as to hide the real OEP (entry point) of the program and prevent the program from being cracked. For viruses, the addition of a shell may bypass the scanning of some antivirus software, thereby achieving some of its characteristics as some intrusion or destruction of the virus.
As shown in fig. 1, the virus detection method based on non-code features according to the present invention includes the steps of:
s1, traversing all files in an operating system, and extracting non-code data of an executable file;
s2, counting how many files with the same number are in the icon HASH of each executable file;
s3, if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected with viruses;
s4, traversing all executable files considered as viruses, extracting other PE files in the executable files, changing the names of the PE files into original file names, and deleting the virus files to remove the viruses.
Wherein, the PE file: the PE file is generally named Portable Executable, meaning a portable executable file, commonly named EXE, DLL, OCX, SYS, COM is a PE file, which is a program file on microsoft Windows operating system (possibly indirectly executed, such as a DLL).
Specifically, the details of each step are as follows:
the step S1 further includes:
s1a, traversing all files in an operating system;
s1b, if the traversed current file is an executable file, attempting to extract the icon of the file, and if the executable file has no icon resource, skipping the rest steps and traversing the next file.
S1c, if the traversed file is an executable file and contains icon resources, extracting four types of data of the executable file:
A. HASH of the icon (e.g., MD5, SHA1, etc.);
B. full path filename;
C. full file content HASH (e.g., MD5, SHA1, etc.);
D. whether or not a plurality of PE heads are included.
PE head: is the HEADER data structure in the PE structure, including two data structures of_IMAGE_DOS_HEADER and_IMAGE_NT_HEADER.
Wherein, it is determined whether the executable file has a plurality of PE heads capable of executing the following steps:
i) Opening PE files
ii) first detect how much content in the file is 0x4D5A
ii i) analyzing the position of the detected value 0x4D5A according to the structure of the_IMAGE_DOS_HEADER in PE format, and obtaining the value of the e_lfanew field after analysis, wherein the value is the offset of the structure of the_IMAGE_NT_HEADERS in the file.
iv) if the value of the e_lfanew field does not exceed the executable file size, then the e_lfanew field value is considered legal, then it is taken as the file offset and parsed according to the_image_nt_header structure, and if its Signature field, i.e. the first 4 bytes of the structure, has a value of 0x4550, it is considered a legal PE file.
v) detecting how many parts of the executable file meet the condition according to the method, if more than 2 parts meet the condition, namely more than 2 PE structures exist, marking whether a plurality of PE heads exist in the file as 1, otherwise marking as 0.
Statistics result in file information in the format shown in fig. 3 as follows:
[ icon HASH ] [ full Path File name ] [ File content HASH ] [ whether there are multiple PE headers ]
In addition, step S2 further includes:
s2a, after all files are traversed, obtaining N groups of file information records in a specified format; and traversing the file information records, and counting how many files with the same number are in the icon HASH of each executable file.
S2, sorting according to the number of the same icons HASH from large to small after statistics is completed.
In step S3, if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value, and there are more than 2 PE heads for these files, the executable file using the icon is considered to be infected with virus.
Preferably, the threshold is set to 30%.
In step S4, all executable files considered as viruses are traversed finally, other PE files in the executable files are extracted and renamed to the original file name, and finally the viruses are removed by deleting the virus files.
In addition, the invention also provides a virus detection system based on the non-code characteristic. As shown in fig. 2, the virus detection system based on non-code features according to the present invention includes four modules, namely a detection module, a statistics module, a judgment module and a cleaning module, and accordingly, each module has the following corresponding functions:
the detection module is used for traversing all files in the operating system and extracting non-code data of the executable file;
the statistics module is used for counting how many files with the same number are in the icon HASH of each executable file;
the judging module judges that if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected by viruses; preferably, the threshold is set to 30%.
And the clearing module traverses all executable files considered as viruses, extracts other PE files in the executable files, changes the names of the PE files into original file names, and deletes the virus files to clear the viruses.
The virus detection method and system based on the non-code features are different from the traditional protection technology in that the traditional antivirus technology extracts one or more groups of code fragments from virus codes to serve as unique features of the viruses, and the technology is realized by taking the codes of the viruses and non-code data of the viruses as features.
According to the detection method and system based on the virus non-code characteristics, the following advantages exist:
1. can be detected without uncoating the virus sample.
2. The method has universality, and even if viruses are replaced by other code confusion means or protective cases, the viruses can still be checked and killed.
3. The virus sample can be checked and killed without upgrading the virus library.
4. Unknown viruses can be detected and cleared.
The embodiment of the invention also provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the computer program realizes the processes of the virus detection method embodiment based on the non-code characteristics and can achieve the same technical effect. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
Claims (10)
1. A virus detection method based on non-code features is characterized by comprising the following steps:
s1, traversing all files in an operating system, and extracting non-code data of an executable file;
s2, counting how many files with the same number are in the icon HASH of each executable file;
s3, if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected with viruses;
s4, traversing all executable files considered as viruses, extracting other PE files in the executable files, changing names into original file names, and deleting the virus files;
PE head: is a HEADER data structure in the PE structure, comprising two data structures of_IMAGE_DOS_HEADER and_IMAGE_NT_HEADER;
wherein, judge whether executable file has more than 2 PE heads, carry out the following steps:
i) Opening a PE file;
ii) first detecting how many places in the file the content is 0x4D5A;
iii) Analyzing the position of the detected 0x4D5A value according to the_IMAGE_DOS_HEADER structure of the PE format, and acquiring the value of the e_lfanew field after analysis, wherein the value is the offset of the_IMAGE_NT_HEADER structure in the file;
iv) if the value of the e_lfanew field does not exceed the executable file size, then consider it as legal, then take the e_lfanew field value as file offset and parse it according to the_image_nt_header structure, and consider it as legal PE file if its Signature field, i.e. the first 4 bytes of the structure, has a value of 0x 4550;
v) detecting how many parts of the executable file meet the condition according to the steps, if more than 2 parts meet the condition, namely more than 2 PE structures exist, marking whether a plurality of PE heads exist in the file as 1, otherwise marking as 0.
2. The method for detecting viruses based on non-code features as claimed in claim 1, wherein,
the step S1 further includes:
s1a, traversing all files in an operating system;
s1b, if the traversed current file is an executable file, attempting to extract an icon of the file, and if the executable file has no icon resource, skipping the rest steps and traversing the next file;
s1c, if the traversed file is an executable file and contains icon resources, extracting data of the executable file.
3. The method for detecting viruses based on non-code features as claimed in claim 2, wherein,
the data of the executable file comprises the following four types:
A. HASH of the icon;
B. full path filename;
C. full file content HASH;
D. whether more than 2 PE heads are included.
4. The method for detecting viruses based on non-code features as claimed in claim 3, wherein,
the step S2 further includes:
s2a, after all files are traversed, obtaining N groups of file information records in a specified format; traversing the file information records, and counting how many files with the same number are in the icons HASH of each executable file;
s2, sorting according to the number of the same icons HASH from large to small after statistics is completed.
5. The method for detecting viruses based on non-code features as claimed in claim 1, wherein,
in step S3, the proportion threshold of the number of files of a certain icon HASH to the total traversed executable files is set to 30%.
6. The virus detection system based on the non-code features is characterized by comprising four modules, a detection module, a statistics module, a judgment module and a removal module, wherein:
the detection module is used for traversing all files in the operating system and extracting non-code data of the executable file;
the statistics module is used for counting how many files with the same number are in the icon HASH of each executable file;
the judging module judges that if the proportion of the number of files of a certain icon HASH to the total traversed executable files exceeds a threshold value and more than 2 PE heads exist in the files, the executable files adopting the icon are considered to be infected by viruses;
the clearing module traverses all executable files considered as viruses, extracts other PE files in the executable files, changes the names of the PE files into original file names, and deletes the virus files;
PE head: is a HEADER data structure in the PE structure, comprising two data structures of_IMAGE_DOS_HEADER and_IMAGE_NT_HEADER;
wherein, judge whether executable file has more than 2 PE heads, carry out the following steps:
i) Opening a PE file;
ii) first detecting how many places in the file the content is 0x4D5A;
iii) Analyzing the position of the detected 0x4D5A value according to the_IMAGE_DOS_HEADER structure of the PE format, and acquiring the value of the e_lfanew field after analysis, wherein the value is the offset of the_IMAGE_NT_HEADER structure in the file;
iv) if the value of the e_lfanew field does not exceed the executable file size, then consider it as legal, then take the e_lfanew field value as file offset and parse it according to the_image_nt_header structure, and consider it as legal PE file if its Signature field, i.e. the first 4 bytes of the structure, has a value of 0x 4550;
and detecting how many parts of the executable file meet the conditions according to the steps, if more than 2 parts meet the conditions, namely more than 2 PE structures exist, marking whether a plurality of PE heads exist in the file as 1, otherwise marking as 0.
7. The non-code feature based virus detection system of claim 6 wherein,
the detection module traverses all files in the operating system;
if the traversed current file is an executable file, attempting to extract an icon of the file, and if the executable file has no icon resource, skipping the rest steps and traversing the next file;
if the traversed file is an executable file and contains icon resources, extracting the data of the executable file.
8. The non-code feature based virus detection system of claim 6 wherein,
the data of the executable file comprises the following four types:
A. HASH of the icon;
B. full path filename;
C. full file content HASH;
D. whether more than 2 PE heads are included.
9. The virus detection system based on non-code features according to claim 8, wherein after all file traversals are completed, N groups of file information records in a specified format are obtained; traversing the file information records, and counting how many files with the same number are in the icons HASH of each executable file; and after the statistics are completed, sorting from large to small according to the number of the same icons HASH.
10. The non-code feature based virus detection system according to claim 6 wherein the number of files for a certain icon HASH is set to 30% of the total traversed executable file ratio threshold.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110267174.4A CN113032783B (en) | 2021-03-11 | 2021-03-11 | Virus detection method and system based on non-code characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110267174.4A CN113032783B (en) | 2021-03-11 | 2021-03-11 | Virus detection method and system based on non-code characteristics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113032783A CN113032783A (en) | 2021-06-25 |
| CN113032783B true CN113032783B (en) | 2024-03-19 |
Family
ID=76469920
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110267174.4A Active CN113032783B (en) | 2021-03-11 | 2021-03-11 | Virus detection method and system based on non-code characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113032783B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115062298A (en) * | 2022-06-20 | 2022-09-16 | 北京中睿天下信息技术有限公司 | Method for rapidly detecting malicious code based on Windows NTFS file name time |
| CN117540384B (en) * | 2023-12-27 | 2025-04-01 | 北京江民新科技术有限公司 | Method and system for detecting and removing files infected by Crytex virus |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761483A (en) * | 2014-01-27 | 2014-04-30 | 百度在线网络技术(北京)有限公司 | Method and device for detecting malicious codes |
| CN110659491A (en) * | 2019-09-23 | 2020-01-07 | 深信服科技股份有限公司 | Computer system recovery method, device, equipment and readable storage medium |
| CN110688353A (en) * | 2019-09-11 | 2020-01-14 | 上海掌门科技有限公司 | File management method, device and computer readable medium |
| CN110941822A (en) * | 2018-09-21 | 2020-03-31 | 武汉安天信息技术有限责任公司 | Lesovirus detection method and apparatus |
| CN111639340A (en) * | 2020-05-28 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
-
2021
- 2021-03-11 CN CN202110267174.4A patent/CN113032783B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761483A (en) * | 2014-01-27 | 2014-04-30 | 百度在线网络技术(北京)有限公司 | Method and device for detecting malicious codes |
| CN110941822A (en) * | 2018-09-21 | 2020-03-31 | 武汉安天信息技术有限责任公司 | Lesovirus detection method and apparatus |
| CN110688353A (en) * | 2019-09-11 | 2020-01-14 | 上海掌门科技有限公司 | File management method, device and computer readable medium |
| CN110659491A (en) * | 2019-09-23 | 2020-01-07 | 深信服科技股份有限公司 | Computer system recovery method, device, equipment and readable storage medium |
| CN111639340A (en) * | 2020-05-28 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious application detection method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113032783A (en) | 2021-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9348998B2 (en) | System and methods for detecting harmful files of different formats in virtual environments | |
| US9935972B2 (en) | Emulator-based malware learning and detection | |
| US8181248B2 (en) | System and method of detecting anomaly malicious code by using process behavior prediction technique | |
| US6952776B1 (en) | Method and apparatus for increasing virus detection speed using a database | |
| KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
| CN110414236B (en) | Malicious process detection method and device | |
| US20120151586A1 (en) | Malware detection using feature analysis | |
| US20160014144A1 (en) | Method and device for processing computer viruses | |
| CN107247902B (en) | Malicious software classification system and method | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| EP3905084A1 (en) | Method and device for detecting malware | |
| US8646076B1 (en) | Method and apparatus for detecting malicious shell codes using debugging events | |
| KR101816045B1 (en) | Malware detecting system with malware rule set | |
| CN113032783B (en) | Virus detection method and system based on non-code characteristics | |
| Shabtai et al. | F-sign: Automatic, function-based signature generation for malware | |
| KR101110308B1 (en) | Malware Detection Device Using Execution Compression Characteristics and Its Method | |
| CN112882797A (en) | Container safety detection method based on machine learning | |
| CN111651768A (en) | Method and device for recognizing link library function name of computer binary program | |
| CN109800569A (en) | Program identification method and device | |
| US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
| KR101327740B1 (en) | apparatus and method of collecting action pattern of malicious code | |
| US12067115B2 (en) | Malware attributes database and clustering | |
| US8555382B2 (en) | Method and system for automatic invariant byte sequence discovery for generic detection | |
| CN112149115A (en) | Method and device for updating virus library, electronic device and storage medium | |
| CN117914582A (en) | Method, device, equipment and storage medium for detecting process hollowing attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |