计算机病毒与反病毒检测系统技术分析

Research of the Computer Virus and Anti-Virus Detecting System

针对计算机被病毒感染和破坏造成严重损失,在分析了计算机病毒的特征和反病毒检测系统技术的基础上,提出了一种高效的病毒特征检测机制。首先,例举先进的反病毒技术有实时扫描技术,启发式代码扫描技术,虚拟机技术和主动内核技术等;然后,分析了二进制可执行病毒脚本病毒和宏病毒的特征提取技术,设计出一个简单蜜罐系统来获取病毒样本;其次,为了解决特征代码不能检测未知病毒的问题,对引擎做了改进,提出了一种融合AC自动机匹配算法和BM算法的ACBM多模式匹配算法。算法在匹配病毒特征时,具有效率高,速度快和准确度高的特点,以特征代码法为基础杀毒软件是病毒检测系统是下一步研究目标。

The characteristics of computer viruses and anti-virus techniques are analyzed thoroughly in this thesis. Nowadays thereare some advanced anti-virus techniques, such as real-time scanning, heuristic code scanning, virtual machine and active kerneltechnique etc. But now the anti-virus software mostly based on character code method, so this thesis gives a detailed description ofdetection idea and how to construct the virus detection system based on character code method. For binary executables files, tospeed up virus detection by scanning only the common location of computer viruses （such as entry-point jump and call instructionsetc.） of a file, rather than the entire file. First, the technique of character code from binary executables virus script and macro vi-ruses are analyzed in this thesis. Then design a simple honey pot system to obtain the computer virus sample, and do charactersdistill experiment for PE format virus sample using W32Dasm which is a tool of disassembly. Second, this thesis makes someimprovement in the engine to resolve the problem that unknown viruses can not be detected by character code. By analyzing PEfile format, a series of making conducts which are correlative to the header of PE files and the tables of sections have been de-signed, and the detection efficiency enhanced when it combines the two methods.