计算机平台下的PE文件病毒的实现和防止
摘要
在计算机病毒技术与反病毒技术激烈斗争的今天,病毒技术的复杂多变,发展迅速给计算机用户同时也给反病毒技术带了巨大的挑战。本文详细剖析了时下较流行的Windows 32位操作系统平台下最为常见的PE病毒机制,配合以代码实现的方式,从一个病毒编写者的角度展示病毒基本原理,并以此为契机从而做到更好的防范病毒。第一部分分别介绍了Windows病毒的基本原理、分类,并着重介绍PE病毒基本原理,基本机制;第二部分则根据PE病毒原理用编写实际代码的方式实现一个感染正常EXE文件(如WinRAR.exe)、关机并通过U盘传播等功能的病毒程序;第三部分则通过功能测试(白盒测试)、杀毒软件测试,总结并展望病毒技术;最后通过此次课题的研究成果,结合当今主流反病毒技术,总结Windows PE病毒防范技术。
关键字:Windows病毒;PE病毒;反病毒技术;PE文件格式;PE病毒实现
The Research and Implementation of PE Documentary Virus base on Win32 Platform
Abstract
Nowadays, computer virus technology is growing rapidly as fast as development speed of anti-virus technology.Computer virus technology is becoming complex and changing rapidly. It brings enormous challenges to anti-virus technology. This paper analyzes the most common PE virus mechanism base on Win32 platform that is explained by the way of code realization. The article also demonstrates the basic mechanism of virus from the perspective of the virus creator and gives the suggestion to achieve a better anti-virus result. At the beginning, the article introduces the basic knowledge of Windows virus and classification. This part highlights the basic tenets of PE virus and basic mechanism. The second part compiles the code realization according to the principles. It can infect an EXE program (e.g. WinRAR.exe) and spread by u disk. The third part shows the result of passing the test (white box testing) and makes the summary and forecast. The last part summarizes the Windows PE anti-virus technology through the research on this topic with mainstream anti-virus technology.
Key Words:Windows virus; PE virus; anti-virus technology; PE format; implementation of virus program
目录
论文总页数32页
TOC \o "1-3" \h \z \u 1引言. PAGEREF _Toc170384619 \h 1
2计算机病毒概述. PAGEREF _Toc170384620 \h 1
2.1计算机病毒的定义. PAGEREF _Toc170384621 \h 1
2.2计算机病毒的基本性质与本质. PAGEREF _Toc170384622 \h 2
3 Windows病毒. PAGEREF _Toc170384623 \h 4
3.1Windows病毒分类. PAGEREF _Toc170384624 \h 4
3.1.1PE病毒. PAGEREF _Toc170384625 \h 4
3.1.2脚本病毒. PAGEREF _Toc170384626 \h 4
3.1.3宏病毒. PAGEREF _Toc170384627 \h 4
3.2 PE病毒原理. PAGEREF _Toc170384628 \h 4
3.2.1 PE文件格式. PAGEREF _Toc170384629 \h 4
3.2.2检验PE文件的有效性. PAGEREF _Toc170384630 \h 7
3.2.3病毒重定位. PAGEREF _Toc170384631 \h 8
3.2.4获取API函数地址. PAGEREF _Toc170384632 \h 9
3.2.5文件操作. PAGEREF _Toc170384633 \h 12
4 Windows PE文件病毒的研究及实现. PAGEREF _Toc170384634 \h 14
4.1病毒程序实现. PAGEREF _Toc170384635 \h 14
4.1.1病毒程序编写背景. PAGEREF _Toc170384636 \h 14
4.1.2病毒程序基本功能介绍. PAGEREF _Toc170384637 \h 15
4.1.3病毒程序编写环境. PAGEREF _Toc170384638 \h 15
4.1.4病毒程序简要流程框图. PAGEREF _Toc170384639 \h 15
4.1.5病毒程序主模块-JERRY.ASM PAGEREF _Toc170384640 \h 16
4.1.6病毒程序搜索API函数模块-SearchAPI.ASM PAGEREF _Toc170384641 \h 16
4.1.7病毒程序感染EXE文件模块-Modify_PE.ASM PAGEREF _Toc170384642 \h 17
4.1.8病毒程序感染及U盘传播模块-EffectU.ASM PAGEREF _Toc170384643 \h 20
4.1.9病毒程序发作模块-Burst.ASM PAGEREF _Toc170384644 \h 21
4.2病毒程序测试. PAGEREF _Toc170384645 \h 22
4.2.1病毒程序测试环境. PAGEREF _Toc170384646 \h 22
4.2.2病毒程序测试过程. PAGEREF _Toc170384647 \h 23
4.2.2病毒程序测试结果. PAGEREF _Toc170384648 \h 24
4.3病毒程序总结分析. PAGEREF _Toc170384649 \h 28
4.3.1病毒传播能力分析. PAGEREF _Toc170384650 \h 28
4.3.2病毒潜伏能力分析. PAGEREF _Toc170384651 \h 28
4.3.3病毒破坏能力分析. PAGEREF _Toc170384652 \h 28
4.3.4病毒程序自我总结. PAGEREF _Toc170384653 \h 28
4.3.5病毒程序完善方向. PAGEREF _Toc170384654 \h 29
结 论. PAGEREF _Toc170384655 \h 29
参考文献. PAGEREF _Toc170384656 \h 29
