0%

基于字符串的恶意软件检测器绕过方法

概述:首页描述

标题一

  1. 基于字符串特征的恶意软件检测器绕过:在恶意软件中附加正常软件中常见的字符串来绕过基于字符串的恶意软件检测器。

      在可执行文件的结尾添加任何字符都不会对文件的执行产生任何影响,因此可以再恶意软件的结尾追加正常软件中常见的字符串来绕过恶意软件的检测,有趣的是,仅仅在恶意可执行文件的尾部添加>>符号即可绕过很多基于字符串的恶意软件检测器。

  2. 基于PE特征的恶意软件检测器绕过

      将原始的而禁止数据用新的二进制数据进行封装,在运行时自动解封装。

    【工具】:https://github.com/marcusbotacin/Dropper

【在线分析平台】https://corvus.inf.ufpr.br

or the models using PE features, well, changing the binary is the way to get there, but it is hard and boring. So let’s be lazy as usual and adopt a more straight-to-the-point approach: let’s hide the original binary within a new binary (a dropper). This way, we don’t need to write anything on the original malware sample, we just code our own malware. That’s what we did, and things went pretty well, all models bypassed. A pity we discovered it a bit late!

参考文献