恶意代码代码特征提取

文件特征提取

1、利用哈希值作为病毒特征

2、选取病毒内部的特征字符串

3、选取病毒内部的特色代码

4、双重校验和

网络特征

1、具体的下载URL或者访问的URL

2、IP地址

3、网络域名

注册表信息提取

1、启动项

2、写死的某个开关值

内存特征提取

某个特定的页、读写权限、代码块大小

只要理解MEMORY_BASIC_INFORMATION这个架构中的RegionSize作用就知道怎么提取内存特征了

代码如下：

// 遍历内存.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include "pch.h"
#include <iostream>
#include <windows.h>
#include <TCHAR.H>
BOOL ShowProcMemInfo(DWORD dwPID);
int _tmain(int argc, char* argv[])
{
	ShowProcMemInfo(GetCurrentProcessId());
	return 0;
}
// 显示一个进程的内存状态 dwPID为进程ID
BOOL ShowProcMemInfo(DWORD dwPID)
{
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
		FALSE,
		dwPID);
	if (hProcess == NULL)
		return FALSE;
	MEMORY_BASIC_INFORMATION mbi;
	PBYTE pAddress = NULL;
	TCHAR szInfo[200] = _T("BaseAddr Size Type State Protect \n");
	_tprintf(szInfo);
	while (TRUE)
	{
		if (VirtualQueryEx(hProcess, pAddress, &mbi, sizeof(mbi)) != sizeof(mbi))
		{
			break;
		}
		if ((mbi.AllocationBase != mbi.BaseAddress) && (mbi.State != MEM_FREE))
		{
			_stprintf(szInfo, _T(" %08X %8dK "),
				mbi.BaseAddress,
				mbi.RegionSize >> 10);
		}
		else
		{
			_stprintf(szInfo, _T("%08X %8dK "),
				mbi.BaseAddress,
				mbi.RegionSize >> 10);
		}
		LPCTSTR pStr = _T("");
		switch (mbi.Type)
		{
		    case MEM_IMAGE: pStr = _T("MEM_IMAGE "); break;
		    case MEM_MAPPED: pStr = _T("MEM_MAPPED "); break;
		    case MEM_PRIVATE: pStr = _T("MEM_PRIVATE"); break;
		    default: pStr = _T("-----------"); break;
		}
		_tcscat(szInfo, pStr);
		_tcscat(szInfo, _T(" "));
		switch (mbi.State)
		{
		    case MEM_COMMIT: pStr = _T("MEM_COMMIT "); break;
		    case MEM_RESERVE: pStr = _T("MEM_RESERVE"); break;
		    case MEM_FREE: pStr = _T("MEM_FREE "); break;
		    default: pStr = _T("-----------"); break;
		}
		_tcscat(szInfo, pStr);
		_tcscat(szInfo, _T(" "));
		switch (mbi.AllocationProtect)
		{
		    case PAGE_READONLY: pStr = _T("PAGE_READONLY "); break;
		    case PAGE_READWRITE: pStr = _T("PAGE_READWRITE "); break;
		    case PAGE_WRITECOPY: pStr = _T("PAGE_WRITECOPY "); break;
		    case PAGE_EXECUTE: pStr = _T("PAGE_EXECUTE "); break;
		    case PAGE_EXECUTE_READ: pStr = _T("PAGE_EXECUTE_READ "); break;
		    case PAGE_EXECUTE_READWRITE: pStr = _T("PAGE_EXECUTE_READWRITE"); break;
		    case PAGE_EXECUTE_WRITECOPY: pStr = _T("PAGE_EXECUTE_WRITECOPY"); break;
		    case PAGE_GUARD: pStr = _T("PAGE_GUARD "); break;
		    case PAGE_NOACCESS: pStr = _T("PAGE_NOACCESS "); break;
		    case PAGE_NOCACHE: pStr = _T("PAGE_NOCACHE "); break;
		default: pStr = _T("----------------------"); break;
		}
		_tcscat(szInfo, pStr);
		_tcscat(szInfo, _T("\n"));
		_tprintf(szInfo);
		pAddress = ((PBYTE)mbi.BaseAddress + mbi.RegionSize);
	}
	CloseHandle(hProcess);
	return TRUE;
}

参考

聊聊怎样才算是好的病毒特征
https://www.52pojie.cn/thread-611410-1-1.html