How to quickly determine whether a file is a virus
This article is mainly to quickly identify normal files and viruses , I'm not a professional myself , The method was summed up by myself , Very amateur , But I think it's useful . If you have a better way , Welcome to post . The following text begins .
There are many ways to analyze whether a file is a virus , For example OD Such a debugger , use HIPS Can achieve the goal . Here we mainly discuss the method of quick judgment , In the shortest possible time , Minimum knowledge , To determine whether a file is secure .
Let's talk about the necessary tools first :Sandboxie,PEID,OD And your antivirus software .
for instance , I download a software released by someone else from the forum , At this time, antivirus software may report the virus . In this case , Take a look at the name of the virus . If it is “Win32/Packed.VMProtect.AAA
Trojan Horse
A variant of ” Such a shell , Then we can relax our vigilance a little bit . For some shells , You can't get rid of it , for convenience , Treat this shell like a virus . in addition , If it is “Win32/Hupigon.NUK
Trojan Horse ” as well as “Win32/Parite.B
virus ” This kind of , You need to pay attention , This file may be maliciously inserted into the Trojan horse , Or infected . From the virus name of the killing soft newspaper, we can basically judge that there is something wrong with this file , Or is it a miscarriage of justice . however , There are some exceptions . such as “Trojan.Win32.Generic.122E105A”, This is a virus from cloud security analysis , There is no valid information , Therefore, it is impossible to judge whether it is a misjudgment by virus name .
According to the information of kill soft , You can have a preliminary understanding of the security of the file . I don't think anyone will trust sharuan completely , It's more about trusting yourself . use PEiD Check the shell , If it's some simple compression shell , Just run in the sand table OD, Take it off , analysis . At this time, what we need to do is not to follow step by step , Instead, look for the file to call API. Right click in the Disassembly window , lookup —— The name in the current module ( label ).
Take a look API, At this time, there is also a choice . For character functions and string handling functions , You can ignore the past ; For registry functions , File function should pay more attention . for instance , I saw it CreateFile, It's up and down this function , Pay attention to see if there is a file written to the system sensitive location . same , Looking at strings is also an effective way . In general , You can find some characteristics of the virus from the string . For example, some gray pigeons will have “ Client installed successfully ” Words like that , Found some email address and the corresponding password . These are very suspicious . I met some fierce shells , It's very difficult to take it off , At this time, you can use the sand table .
Let the program run completely in the sand table , Then terminate all programs .
Take a look at what the program generated .
00103170616955.png)
From the file generated by the program, we can judge whether it is a virus or not . of course , There are also some test sand tables , Small things of virtual machine . There is a link to the online sandbox at the top of the page in the virus sample area . The results of the analysis are very specific , It can be used for reference . If you think manual testing is too cumbersome , With the help of online sand table , It's fast and detailed .
such , For example .
This is Xiaosheng's analysis of a virus plug-in , You can see the video , It's very meaningful to learn . Now I'll do it according to the above method .
Check the shell first , It should be SHELLLESS .
I prefer to use it at this time PEiD Take a look at the string in the disassembly tool , This function is very convenient .
Pay attention to the selected part , It's suspicious . It's a URL, It's still a target exe file . At this time, we should suspect that the plug-in is a downloader .
I'll use it next OD load ( In sand table or virtual machine ), Take a look at the names in the current module ( label ), There is one URLDownloadToFileA, This function can realize the function of downloading a file on the network to the local , General ShellCode Often used to it .
Switch breakpoints on input functions , function , We can see the specific behavior .
After that, what we need to do is to analyze the downloaded file ( The address is still valid …).
Generally speaking, Microsoft programs don't have such icons , And a plug-in download Microsoft things inexplicably , Very strange , It can only be said that it is to cover up , So you can shoot it .
In the same way , If you use the sand table to run directly , Finally, the file will be extracted from the sand table , It will be found in the temporary directory . In the plug-in directory will also find a hidden file , It should be a clean plug-in .
The hanging horse should have changed , It's different from the procedure in the attachment of Xiaosheng .
If you think it's troublesome , You can throw it directly into the online sand table , Let the machine analyze it for you .
For example, I think the downloaded file nSPack The shell is hard to take off , Or I won't shell at all , Select file path , then Upload
File, Wait a few minutes , You can get the results , Other online sand tables are similar .
It's very difficult to find examples this time , I'm not in the habit of storing samples , The Trojans were blocked after they were detected , Their shining accessories are not to be found , There are no suitable examples . Moreover, it's a bit unrealistic to test the real virus . In the forum for a long time to find the only remaining program .
( This article is from 5g Cloud Forum , Encroachment and deletion )
Technology