恶意代码--adobe启发式开源检测病毒引擎技术学习分享

最新推荐文章于 2024-03-25 08:56:03 发布
置顶 最新推荐文章于 2024-03-25 08:56:03 发布
阅读量3.1k 收藏 2
点赞数
分类专栏: 技术文章 python学习 源码分享 安全测试 恶意代码 二进制 逆向工程 文章标签: 安全 测试 逆向 二进制 恶意 逆向 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/microzone/article/details/52756069
版权

0x01 介绍


Adobe(R) Malware Classifier 是一款win32恶意软件分析工具,本身采用python脚本编写。支持dll,exe等windos程序。

其中最主要的是基于行为检测和特征归类就行分析,本引擎对130000个恶意程序和16000个正常软件进行分析比对,归纳。

实现精确匹配。

官方地址

其中代表含义如下:

# 0 = CLEAN  //安全程序
# 1 = DIRTY    //恶意程序
# UNKNOWN //未知程序。


采用4种算法进行分析。





FP 假阳性 将正常文件误判为恶意软件

TN 真阴性 将正常文件判定为正常文件

TP 真阳性 将恶意软件判定为恶意软件

FN 假阴性 将恶意软件判定为正常文件


0x02 代码


import pefile
import argparse
import sys

DEBUG = 0;
isDirty = 0;

# Class to extract data values from PE file and hold them as member variables
class PEFile:
	def __init__(self,filename):
		self.pe =  pefile.PE(filename,fast_load=True)
		self.filename=filename
		self.DebugSize 		= self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[6].Size
		self.ImageVersion	= ((self.pe.OPTIONAL_HEADER.MajorImageVersion*100)+self.pe.OPTIONAL_HEADER.MinorImageVersion)*1000
		self.IatRVA			= self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[1].VirtualAddress
		self.ExportSize		= self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[0].Size
		self.ResourceSize	= self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[2].Size
		self.VirtualSize2	= self.pe.sections[1].Misc_VirtualSize
		self.NumberOfSections = self.pe.FILE_HEADER.NumberOfSections		
	def DataDump(self):
		print('Starting dump of ' + self.filename)
		print('DebugSize: 	' + str(self.DebugSize )) # DebugSize
		print('ImageVersion: 	' + str(self.ImageVersion)) # ImageVersion
		print('IatRVA:		' + str(self.IatRVA)) #IatRVA
		print('ExportSize:	' + str(self.ExportSize)) # ExportSize
		print('ResourceSize: 	' + str(self.ResourceSize)) # ResourceSize
		print('VirtualSize2: 	' + str(self.VirtualSize2)) # VirtualSize2
		print('NumberOfSections:' + str(self.NumberOfSections)) # NumberOfSections
		print('Stop')

def printResult(classification):
    if classification == 0:
		print '0'
    else:
		print '1'
		
def runJ48():
	isDirty = 0
	if input.DebugSize <=0:
		if input.ExportSize <= 211:
			if input.ImageVersion <= 520:
				if input.VirtualSize2 <= 130:
					if input.VirtualSize2 <= 5:
						if input.ResourceSize <= 37520:
							isDirty = 1
						elif input.ResourceSize > 37520:
							if input.NumberOfSections <= 2:
								if input.IatRVA <= 2048:
									isDirty = 0
								else:
									isDirty = 1
							else:
								isDirty = 1
					else:
						if input.VirtualSize2 <= 12:
							if input.NumberOfSections <= 3:
								isDirty = 0
							else:
								isDirty = 1
						else:
							isDirty = 1
				else:
					isDirty = 1
			else:
				if input.ResourceSize <= 0:
					if input.ImageVersion <= 1000:
						if input.NumberOfSections <= 4:
							isDirty = 1
						else:
							if input.ExportSize <= 74:
								if input.VirtualSize2 <= 1556:
									isDirty = 1
								else:
									isDirty = 0
							else:
								isDirty = 0
					else:
						isDirty = 1
				else:
					if input.NumberOfSections <= 2:
						if input.ImageVersion <= 3420:
							isDirty = 1
						else:
							isDirty = 0
					else:
						isDirty = 1
		else:
			if input.ImageVersion <= 0:
				if input.ExportSize <= 23330:
					if input.IatRVA <= 98304:
						if input.NumberOfSections <= 3:
							isDirty = 1
						else:
							if input.IatRVA <= 53872:
								isDirty = 0
							else:
								if input.ExportSize <= 273:
									isDirty = 1
								else:
									if input.ResourceSize <= 1016:
										isDirty = 1
									else:
										isDirty = 0
					else:
						isDirty = 0
				else:
					isDirty = 1
			else:
				isDirty = 0
	else:
		if input.ResourceSize <= 545:
			if input.ExportSize <= 92:
				if input.NumberOfSections <= 4:	
					isDirty = 0
				else:
					isDirty = 1
		else:
			if input.IatRVA <= 94208:
				if input.NumberOfSections <= 5:
					if input.ExportSize <= 0:
						if input.NumberOfSections <= 4:
							if input.IatRVA <= 13504:
								if input.ImageVersion <= 353:
									if input.NumberOfSections <= 3:
										if input.IatRVA <= 6144:
											if input.IatRVA <= 2048:
												isDirty = 0
											else:
												if input.VirtualSize2 <= 496:
													isDirty = 1
												else:
													isDirty = 0
										else:
											isDirty = 0
									else:
										if input.DebugSize <= 41:
											if input.ResourceSize <= 22720:
												isDirty = 1
											else:
												isDirty = 0
										else:
											isDirty = 0
								else:
									isDirty = 0
							else:
								if input.ResourceSize <= 35328:
									isDirty = 0
								else:
									isDirty = 1
						else:
							if input.IatRVA <= 2048:
								isDirty = 1
							else:
								isDirty = 0
					else:
						isDirty = 0
				else:
					if input.IatRVA <= 1054:
						if input.ExportSize <= 218:
							if input.IatRVA <= 704:
								isDirty = 1
							else:
								if input.NumberOfSections <= 6:
									isDirty = 1
								else:
									isDirty = 0
						else:
							isDirty = 0
					else:
						isDirty = 0
			else:
				if input.ExportSize <= 0:
					if input.VirtualSize2 <= 78800:
						if input.NumberOfSections <= 4:
							isDirty = 0
						else:
							if input.ImageVersion <= 2340:
								if input.ResourceSize <= 7328:
									isDirty = 1
								else:
									isDirty = 0
							else:
								isDirty = 0
					else:
						isDirty = 1
				else:
					if input.IatRVA <= 106496:
						if input.ResourceSize <= 2800:
							isDirty = 0
						else:
							isDirty = 1
					else:
						isDirty = 0
	return isDirty
# Might need to add a isDirty = 0 statement if tree results in unclassified result					

def runJ48Graft():
	isDirty = 0
	if input.DebugSize <=0:
		if input.ExportSize <= 211:
			if input.ImageVersion <= 520:
				if input.VirtualSize2 <= 130:
					if input.VirtualSize2 <= 5:
						if input.ResourceSize <= 37520:
							isDirty = 1
						elif input.ResourceSize > 37520:
							if input.NumberOfSections <= 2:
								if input.IatRVA <= 2048:
									if input.ExportSize <= 67.5:
										isDirty = 0
									else:								
										isDirty = 1
								else:
									isDirty = 1
							else:
								isDirty = 1
					else:
						if input.VirtualSize <= 12:
							if input.NumberOfSections <= 3:
								isDirty = 0
							else:
								isDirty = 1
						else:
							isDirty = 1
				else:
					isDirty = 1
			else:
				if input.ResourceSize <= 0:
					if input.ImageVersion <= 1000:
						if input.NumberOfSections <= 4:
							isDirty = 1
						else:
							if input.ExportSize <= 74:
								if input.VirtualSize2 <= 1556:
									isDirty = 1
								else:
									if input.IatRVA <= 5440:
										if input.VirtualSize2 <= 126474:
											if input.ExportSize <= 24:
												isDirty = 0
											else:
												isDirty = 1
										else:
											isDirty = 1
									else:
										isDirty = 1
							else:
								isDirty = 0
					else:
						isDirty = 1
				else:
					if input.NumberOfSections <= 2:
						if input.ImageVersion <= 3420:
							isDirty = 1
						else:
							isDirty = 0
					else:
						isDirty = 1
		else:
			if input.ImageVersion <= 0:
				if input.ExportSize <= 23330:
					if input.IatRVA <= 98304:
						if input.NumberOfSections <= 3:
							isDirty = 1
						else:
							if input.IatRVA <= 53872:
								if input.VirtualSize2 <= 17.5:
									isDirty = 1
								else:
									if input.NumberOfSections <= 10.5:
										if input.ResourceSize <= 3103192:
											if input.ExportSize <= 10858.5:
												if input.VirtualSize2 <= 116016.5:
													isDirty = 0
												else:
													isDirty = 1
											else:
												isDirty = 0
										else:
											isDirty = 1
									else:
										isDirty = 1
							else:
								if input.ExportSize <= 273:
									isDirty = 1
								else:
									if input.ResourceSize <= 1016:
										isDirty = 1
									else:
										isDirty = 0
					else:
						isDirty = 0
				else:
					isDirty = 1
			else:
				if input.ExportSize <= 1006718985:
					isDirty = 0
				else:
					isDirty = 1
	else:
		if input.ResourceSize <= 545:
			if input.ExportSize <= 92:
				if input.NumberOfSections <= 4:	
					isDirty = 0
				else:
					if input.ImageVersion <= 6005:
						if input.ExportSize <= 6714:
							isDirty = 1
						else:
							isDirty = 0
					else:
						isDirty = 0							
		else:
			if input.IatRVA <= 94208:
				if input.NumberOfSections <= 5:
					if input.ExportSize <= 0:
						if input.NumberOfSections <= 4:
							if input.IatRVA <= 13504:
								if input.ImageVersion <= 353:
									if input.NumberOfSections <= 3:
										if input.IatRVA <= 6144:
											if input.IatRVA <= 2048:
												if input.ResourceSize <= 934:
													isDirty = 1
												else:
													if input.VirtualSize2 <= 2728:
														isDirty = 0
													else:
														isDirty = 1
											else:
												if input.VirtualSize2 <= 496:
													isDirty = 1
												else:
													isDirty = 0
										else:
											isDirty = 0
									else:
										if input.DebugSize <= 41: # debug here
											if input.ResourceSize <= 22720:
												if input.IatRVA <= 2048:
													isDirty = 1
												else:
													if input.VirtualSize2 <= 46:
														isDirty = 0
													else:
														isDirty = 1
											else:
													if input.VirtualSize2 <= 43030:
														if input.ResourceSize <= 3898348:
															if input.IatRVA <= 2048:
																isDirty = 1
															else:
																isDirty = 0
														else:
															isDirty = 1
													else:
														isDirty = 0
										else:
											isDirty = 0
								else:
									isDirty = 0
							else:
								if input.ResourceSize <= 35328:
									if input.ImageVersion <= 4005:
										if input.NumberOfSections <= 1.5:
											isDirty = 1
										else:
											isDirty = 0
									else:
										isDirty = 0
								else:
									if input.ImageVersion <= 5510:
										if input.DebugSize <= 42:
											if input.VirtualSize2 <= 144328:
												if input.NumberOfSections <= 3.5:
													isDirty = 0
												else:
													isDirty = 1
											else:
												isDirty = 0
										else:
											isDirty = 0
									else:
										isDirty = 0										
						else:
							if input.IatRVA <= 2048:
								isDirty = 1
							else:
								isDirty = 0
					else:
						isDirty = 0
				else:
					if input.IatRVA <= 1054:
						if input.ExportSize <= 218:
							if input.IatRVA <= 704:
								isDirty = 1
							else:
								if input.NumberOfSections <= 6:
									isDirty = 1
								else:
									isDirty = 0
						else:
							if input.ExportSize <= 1006699445:
								if input.ImageVersion <= 5510:
									if input.ImageVersion <= 500:
										isDirty = 1
									else:
										isDirty = 0
								else:
									isDirty = 0
							else:
								isDirty = 1
					else:
						isDirty = 0
			else:
				if input.ExportSize <= 0:
					if input.VirtualSize2 <= 78800:
						if input.NumberOfSections <= 4:
							isDirty = 0
						else:
							if input.ImageVersion <= 2340:
								if input.ResourceSize <= 7328:
									isDirty = 1
								else:
									if input.VirtualSize2 <= 8288.5:
										isDirty = 1
									else:
										if input.NumberOfSections <= 6.5:
											isDirty = 0
										else:
											isDirty = 1
							else:
								isDirty = 0
					else:
						if input.ImageVersion <= 5515:
							isDirty = 1
						else:
							isDirty = 0
				else:
					if input.IatRVA <= 106496:
						if input.ResourceSize <= 2800:
							isDirty = 0
						else:
							if input.ImageVersion <= 500:
								if input.ResourceSize <= 5360:
									if input.NumberOfSections <= 4.5:
										isDirty = 0
									else:
										if input.VirtualSize2 <= 22564.5:
											if input.ExportSize <= 191.5:
												if input.DebugSize <= 42:
													if input.ExportSize <= 162.5:
														isDirty = 0
													else:
														if input.VirtualSize2 <= 10682:
															isDirty = 0
														else:
															if input.ResourceSize <= 3412:
																isDirty = 0
															else:
																isDirty = 1
												else:
													isDirty = 0
											else:
												isDirty = 0
										else:
											isDirty = 0
								else:
									isDirty = 0
							else:
								isDirty = 0
					else:
						isDirty = 0
	return isDirty
# Might need to add a isDirty = 0 statement if tree results in unclassified result					

def runPART():
	isDirty = 0
	if input.DebugSize > 0  and input.ResourceSize > 545 and input.IatRVA <= 94208 and input.NumberOfSections <= 5 and input.ExportSize > 0 and input.NumberOfSections > 3:
		isDirty = 0
	elif input.DebugSize <=0 and input.ImageVersion <= 4900 and input.ExportSize <= 71 and input.ImageVersion <= 520 and input.VirtualSize2 > 130 and input.IatRVA <= 24576:
		isDirty = 1
	elif input.DebugSize <=0 and input.ImageVersion <= 4900 and input.ExportSize <= 211 and input.ResourceSize <= 32272 and input.NumberOfSections <= 10 and input.VirtualSize2 <= 5 and input.ImageVersion <= 3420:
		isDirty = 1
	elif input.DebugSize > 0 and input.ResourceSize > 598 and input.VirtualSize2 <= 105028 and input.VirtualSize2 > 1 and input.ImageVersion > 5000:
		isDirty = 0
	elif input.IatRVA <= 0 and input.ImageVersion > 4180 and input.ResourceSize > 2484:
		isDirty = 0
	elif input.DebugSize <= 0 and input.NumberOfSections <= 1 and input.ResourceSize > 501:
		isDirty = 0
	elif input.DebugSize <= 0 and input.ExportSize <= 211 and input.NumberOfSections > 2 and input.ImageVersion > 1000 and input.ResourceSize <= 12996:
		isDirty = 1
	elif input.DebugSize <= 0 and input.ExportSize <= 211 and input.NumberOfSections > 2 and input.ResourceSize > 0 and input.VirtualSize2 > 1016:
		isDirty = 1
	elif input.NumberOfSections > 8 and input.VirtualSize2 <= 2221: 
		isDirty = 1
	elif input.ResourceSize <= 736 and input.NumberOfSections <= 3: 
		isDirty = 1
	elif input.NumberOfSections <= 3 and input.IatRVA > 4156: 
		isDirty = 0
	elif input.ImageVersion <= 6000 and input.ResourceSize <= 523 and input.IatRVA > 0 and input.ExportSize <= 95: 
		isDirty = 1
	elif input.ExportSize <= 256176 and input.DebugSize > 0 and input.ImageVersion <= 5450 and input.IatRVA > 1664 and input.ResourceSize <= 2040 and input.DebugSize <= 41: 
		isDirty = 0
	elif input.ExportSize <= 256176 and input.ImageVersion > 5450: 
		isDirty = 0
	elif input.ExportSize > 256176:
		isDirty = 1
	elif input.ImageVersion > 0 and input.ResourceSize > 298216 and input.IatRVA <= 2048:
		isDirty = 1
	elif input.ImageVersion > 0 and input.ExportSize > 74 and input.DebugSize > 0:
		isDirty = 0
	elif input.ImageVersion > 0 and input.VirtualSize2 > 4185 and input.ResourceSize <= 215376 and input.IatRVA <= 2048 and input.NumberOfSections <= 5:
		isDirty = 0
	elif input.ImageVersion > 1010 and input.DebugSize <= 56 and input.VirtualSize2 <= 215376:
		isDirty = 0
	elif input.ExportSize > 258 and input.NumberOfSection > 3 and input.DebugSize > 0:
		isDirty = 0
	elif input.ExportSize > 262 and input.ImageVersion > 0 and input.NumberOfSections > 7:
		isDirty = 0
	elif input.DebugSize > 41 and input.NumberOfSections <= 4:
		isDirty = 0
	elif input.ExportSize <= 262 and input.NumberOfSections > 3 and input.VirtualSize2 <= 37:
		isDirty = 1
	elif input.VirtualSize2 > 40 and input.ExportSize <= 262 and input.DebugSize <= 0 and input.ImageVersion <= 353 and input.ExportSize <= 142:
		isDirty = 1
	elif input.VirtualSize2 > 72384 and input.VirtualSize2 <= 263848:
		isDirty = 1
	elif input.IatRVA > 106496 and input.IatRVA <= 937984 and input.DebugSize > 0 and input.ResourceSize > 4358:
		isDirty = 0
	elif input.VirtualSize2 <= 64 and input.IatRVA <= 2048 and input.DebugSize <= 0 and input.ImageVersion <= 353 and input.ExportSize <= 0 and input.VirtualSize2 <= 4 and input.NumberOfSections <= 2:
		isDirty = 0
	elif input.DebugSize <= 0 and input.NumberOfSections <= 4 and input.IatRVA > 45548:
		isDirty = 1
	elif input.DebugSize > 0 and input.DebugSize <= 56 and input.IatRVA <= 94208 and input.ResourceSize <= 4096:
		isDirty = 1
	elif input.DebugSize <= 0 and input.IatRVA <= 98304 and input.NumberOfSections > 6 and input.ResourceSize <= 864 and input.ExportSize > 74 and input.ImageVersion > 353 and input.ExportSize <= 279:
		isDirty = 0
	elif input.DebugSize <= 0 and input.IatRVA <= 98304 and input.NumberOfSections <= 2 and input.ResourceSize <= 1264128:
		isDirty = 1
	elif input.VirtualSize2 <= 64 and input.IatRVA <= 2048 and input.DebugSize > 0:
		isDirty = 0
	elif input.ExportSize <= 276 and input.NumberOfSections > 5 and input.ResourceSize <= 1076:
		isDirty = 0
	elif input.DebugSize > 0 and input.IatRVA <= 94208 and input.ExportSize <= 82 and input.DebugSize <= 56 and input.NumberOfSections > 2 and input.ImageVersion <= 2340 and input.ResourceSize <= 118280 and input.VirtualSize2 > 5340:
		isDirty = 0
	elif input.DebugSize > 0 and input.ImageVersion <= 2340 and input.DebugSize <= 56 and input.NumberOfSections > 3 and input.VirtualSize2 > 360 and input.NumberOfSections <= 5:
		isDirty = 1
	elif input.IatRVA > 37380 and input.ImageVersion <= 0 and input.NumberOfSections <= 5 and input.VirtualSize2 > 15864:
		isDirty = 0
	elif input.DebugSize <= 0 and input.VirtualSize2 <= 80 and input.IatRVA <= 4096 and input.ExportSize <= 0 and input.VirtualSize2 > 4 and input.VirtualSize2 <= 21:
		isDirty = 0
	elif input.DebugSize <= 0:
		isDirty = 1
	elif input.ExportSize <= 82 and input.DebugSize <= 56 and input.NumberOfSections <= 5 and input.NumberOfSections > 2 and input.IatRVA <= 6144 and input.ImageVersion > 2340:
		isDirty = 0
	elif input.ImageVersion > 2340:
		isDirty = 1
	elif input.ResourceSize > 5528:
		isDirty = 0
	else:
		isDirty = 1
	return isDirty

	
def runRidor():
	isDirty = 0
	#Except (DebugSize <= 14) and (ImageVersion <= 760) and (VirtualSize2 > 992) and (ExportSize <= 80.5) => isDirty = 1  (1702.0/16.0) [855.0/5.0]
	if input.DebugSize <= 14 and input.ImageVersion <= 760 and input.VirtualSize2 > 992 and input.ExportSize <= 80.5:
		isDirty = 1
#Except (DebugSize <= 14) and (ImageVersion <= 4525) and (ExportSize <= 198.5) and (ResourceSize <= 37532) and (VirtualSize2 <= 6) and (ResourceSize <= 7348) and (ResourceSize > 1773) => isDirty = 1  (106.0/0.0) [48.0/0.0]
	elif input.DebugSize <= 14 and input.ImageVersion <= 4525  and input.ExportSize <= 198.5 and input.ResourceSize <= 7348 and input.VirtualSize2 <=6 and input.ResourceSize > 1773:
		isDirty = 1
#Except (DebugSize <= 14) and (ImageVersion <= 4950) and (ExportSize <= 192) and (IatRVA > 256) and (VirtualSize2 > 42) and (ExportSize <= 56) and (NumberOfSections > 3.5) => isDirty = 1  (193.0/0.0) [91.0/0.0]
	elif input.DebugSize <= 14 and input.ImageVersion <= 4950 and input.ExportSize <= 56 and input.IatRVA > 256 and input.VirtualSize2 > 42 and input.NumberOfSections > 3.5:
		isDirty = 1
#Except (DebugSize <= 14) and (ImageVersion <= 4950) and (VirtualSize2 <= 6) and (ResourceSize <= 37532) and (ResourceSize <= 17302) => isDirty = 1  (388.0/0.0) [216.0/7.0]
	elif input.DebugSize <= 14 and input.ImageVersion <= 4950 and input.VirtualSize2 <= 6 and input.ResourceSize > 17302:
		isDirty = 1
#Except (DebugSize <= 14) and (NumberOfSections > 2.5) and (ResourceSize > 1776) and (IatRVA <= 6144) and (ExportSize <= 219.5) and (VirtualSize2 > 2410) and (VirtualSize2 <= 61224) => isDirty = 1  (238.0/0.0) [116.0/0.0]
	elif input.DebugSize <= 14 and input.NumberOfSections >= 2.5 and input.ResourceSize <= 1776 and input.IatRVA <= 6144 and input.ExportSize <= 219.5 and input.VirtualSize2 > 2410 and input.VirtualSize2 <= 61224:
		isDirty = 1
#Except (DebugSize <= 14) and (NumberOfSections > 2.5) and (ExportSize <= 198) and (ResourceSize > 8) and (VirtualSize2 > 83) and (ResourceSize <= 976) => isDirty = 1  (151.0/2.0) [83.0/2.0]
	elif input.DebugSize <= 14 and input.NumberOfSections >= 2.5 and input.ExportSize  <= 198 and input.ResourceSize > 8 and input.VirtualSize2 > 83 and input.ResourceSize <= 976:
		isDirty = 1
#Except (DebugSize <= 14) and (NumberOfSections > 2.5) and (ResourceSize > 1418) and (IatRVA <= 6144) and (VirtualSize2 <= 4) => isDirty = 1  (94.0/0.0) [44.0/0.0]
	elif input.DebugSize <= 14 and input.NumberOfSections >= 2.5 and input.ResourceSize > 1418 and input.IatRVA > 6144 and input.VirtualSize2 <= 4:
		isDirty = 1
#Except (DebugSize <= 14) and (VirtualSize2 > 14) and (NumberOfSections <= 4.5) and (ResourceSize > 8) and (VirtualSize2 <= 2398) and (ResourceSize > 1550) => isDirty = 1  (84.0/0.0) [41.0/1.0]
	elif input.DebugSize <= 14 and input.VirtualSize2 > 14 and input.NumberOfSections > 4.5 and input.ResourceSize > 1550 and input.VirtualSize2 <= 2398:
		isDirty = 1
#Except (DebugSize <= 14) and (VirtualSize2 > 14) and (NumberOfSections <= 4.5) and (ExportSize <= 138.5) and (ImageVersion > 1005) => isDirty = 1  (37.0/0.0) [17.0/0.0]
	elif input.DebugSize <= 14 and input.VirtualSize2 > 14 and input.NumberOfSections > 4.5 and input.ExportSize > 138.5 and input.ImageVersion > 1005:
		isDirty = 1
#Except (ImageVersion <= 5005) and (DebugSize <= 14) and (VirtualSize2 > 14) and (NumberOfSections <= 4.5) => isDirty = 1  (182.0/20.0) [88.0/6.0]
	elif input.ImageVersion <= 5005 and input.DebugSize <= 14 and input.VirtualSize2 > 14 and input.NumberOfSections <= 4.5:
		isDirty = 1
#Except (ImageVersion <= 5005) and (DebugSize <= 14) and (ImageVersion <= 5) and (NumberOfSections > 3.5) and (ExportSize <= 164.5) and (IatRVA <= 73728) and (ResourceSize <= 8722) => isDirty = 1  (47.0/0.0) [18.0/2.0]
	elif input.ImageVersion <= 5005 and input.DebugSize <= 14 and input.ImageVersion <=5 and input.NumberOfSections > 3.5 and input.ExportSize <= 164.5 and input.IatRVA <= 73728 and input.ResourceSize <= 8722:
		isDirty = 1
#Except (ImageVersion <= 5005) and (DebugSize <= 14) and (ResourceSize > 21108) and (ResourceSize <= 37272) and (ImageVersion <= 760) => isDirty = 1  (51.0/0.0) [30.0/3.0]
	elif input.ImageVersion <= 5005 and input.DebugSize <= 14 and input.ResourceSize > 21108 and input.ResourceSize <= 37272 and input.ImageVersion <= 760:
		isDirty = 1
#Except (NumberOfSections > 4.5) and (ExportSize <= 25.5) and (ImageVersion > 1505) and (ResourceSize <= 1020) => isDirty = 1  (51.0/0.0) [30.0/2.0]
	elif input.NumberOfSections > 4.5 and input.ExportSize <= 25.5 and input.ImageVersion > 1505 and input.ResourceSize <= 1020:
		isDirty = 1
# Except (ImageVersion <= 1500) and (NumberOfSections > 5.5) and (ExportSize <= 101) and (ResourceSize <= 3168) => isDirty = 1  (16.0/0.0) [8.0/1.0]
	elif input.ImageVersion <= 1500 and input.NumberOfSections > 5.5 and input.ExportSize <= 101 and input.ResourceSize <= 3168:
		isDirty = 1
#Except (ImageVersion <= 3025) and (DebugSize <= 14) and (ResourceSize > 1182) and (VirtualSize2 > 164) and (ExportSize <= 330.5) => isDirty = 1  (32.0/7.0) [20.0/4.0]
	elif input.ImageVersion <= 3025 and input.DebugSize <= 14 and input.ResourceSize > 1182 and input.VirtualSize2 > 164 and input.ExportSize <= 330.5:
		isDirty = 1
# Except (ImageVersion <= 1010) and (ResourceSize > 2352) and (VirtualSize2 > 39914) and (VirtualSize2 <= 153258) and (VirtualSize2 > 115254) => isDirty = 1  (19.0/0.0) [8.0/2.0]
	elif input.ImageVersion <= 1010 and input.ResourceSize > 2352 and input.VirtualSize2 > 115254 and input.VirtualSize2 <= 153258:
		isDirty = 1
#Except (ImageVersion <= 1500) and (NumberOfSections > 5.5) and (ImageVersion <= 500) and (ExportSize <= 164) and (IatRVA <= 2048) => isDirty = 1  (7.0/0.0) [3.0/0.0]
	elif input.ImageVersion <= 1500 and input.NumberOfSections > 5.5 and input.ImageVersion <= 500 and input.ExportSize <= 164 and input.IatRVA <= 2048:
		isDirty = 1
# Except (ImageVersion <= 1010) and (ResourceSize <= 474) and (IatRVA > 26624) and (VirtualSize2 > 1802) and (IatRVA <= 221348) => isDirty = 1  (15.0/0.0) [5.0/2.0]
	elif input.ImageVersion <= 1010 and input.ResourceSize <= 474 and input.IatRVA > 26624 and input.VirtualSize2 > 1802 and input.IatRVA <= 221348:
		isDirty = 1
# Except (ImageVersion <= 2500) and (DebugSize <= 14) and (ResourceSize > 4320) and (ResourceSize <= 389246) and (ResourceSize > 78678) and (NumberOfSections <= 4) and (ResourceSize <= 120928) => isDirty = 1  (7.0/0.0) [3.0/1.0]
	elif input.ImageVersion <= 2500 and input.DebugSize <= 14 and input.ResourceSize > 78678 and input.ResourceSize <= 120928 and input.NumberOfSections <= 4:
		isDirty = 1
# Except (ImageVersion <= 5005) and (ExportSize <= 25.5) and (NumberOfSections > 3.5) and (ResourceSize > 35814) and (VirtualSize2 > 215352) => isDirty = 1  (5.0/0.0) [1.0/0.0]
	elif input.ImageVersion <= 5005 and input.ExportSize <= 25.5 and input.NumberOfSections > 3.5 and input.ResourceSize > 35814 and input.VirtualSize2 > 215352:
		isDirty = 1
# Except (ImageVersion <= 4005) and (IatRVA <= 2560) and (NumberOfSections > 3.5) and (ImageVersion <= 500) and (ResourceSize > 648) and (ResourceSize <= 62291) => isDirty = 1  (9.0/0.0) [4.0/1.0]
	elif input.ImageVersion <= 500 and input.IatRVA <= 2560 and input.NumberOfSections > 3.5 and input.ResourceSize > 648 and input.ResourceSize <= 62291:
		isDirty = 1
# Except (ExportSize <= 25.5) and (NumberOfSections > 4.5) and (VirtualSize2 > 50765) and (ResourceSize <= 741012) and (ResourceSize > 2512) => isDirty = 1  (13.0/0.0) [6.0/0.0]
	elif input.ExportSize <= 25.5 and input.NumberOfSections > 4.5 and input.VirtualSize2 > 50765 and input.ResourceSize <= 741012 and input.ResourceSize > 2512:
		isDirty = 1
# Except (ImageVersion <= 1010) and (ExportSize <= 25.5) and (VirtualSize2 > 63) and (VirtualSize2 <= 3448) and (ResourceSize > 2032) and (VirtualSize2 > 1200) and (VirtualSize2 <= 3278) => isDirty = 1  (7.0/0.0) [4.0/2.0]
	elif input.ImageVersion <= 1010 and input.ExportSize <= 25.5 and input.VirtualSize2 <= 3278 and input.VirtualSize2 > 1200 and input.ResourceSize > 2032:
		isDirty = 1
#Except (ResourceSize <= 474) and (ExportSize <= 76) and (VirtualSize2 <= 1556) and (IatRVA <= 2368) => isDirty = 1  (13.0/0.0) [2.0/0.0]
	elif input.ResourceSize <= 474 and input.ExportSize <= 76 and input.VirtualSize2 <= 1556 and input.IatRVA <= 2368:
		isDirty = 1
# Except (ImageVersion <= 1500) and (VirtualSize2 <= 6) and (IatRVA > 2048) => isDirty = 1  (8.0/0.0) [4.0/1.0]
	elif input.ImageVersion <= 1500 and input.VirtualSize2 <= 6 and input.IatRVA > 2048:
		isDirty = 1
	else:
		isDirty = 0
	return isDirty

# Each algo once; chain results together with equal weight
# IO routine: supply input file in CMD line; output is MALWARE or CLEAN or UNKNOWN
# opts: -i=input file; -n=algorithm number (0 for all)| -h = help
# Possibilities for features in future versions:
# v2: Display verbose - display the rules that were invoked while classifying this file as malware
# v3: Allow rules to be updated (assisted learning occurs)

parser = argparse.ArgumentParser(description='Classify an unknown binary as MALWARE or CLEAN.')
parser.add_argument('-f', metavar='filename', help='The name of the input file')
parser.add_argument('-n', metavar='model', help='The ordinal for model classifier: 0=all (default) | 1=J48 | 2=J48Graft | 3=PART | 4=Ridor')
parser.add_argument('-v', nargs='?', metavar='verbose', help='Dump the PE data being processed', const='verbose')

args = parser.parse_args()

if not args.f:
	parser.print_help()
	sys.exit(0)

input = PEFile(args.f)

# All variables accessible as values of the 'input' object
if(args.v):
	input.DataDump()

# Test input args
if not args.n:
	args.n = 0
args.n = int(args.n)
if args.n < 0 or args.n > 4:
	parser.print_help()
	sys.exit(0)
	
# Options 0: Run all models	
if(args.n == 0):
	if DEBUG:
		print 'Processing all...'
	print 'Processing all...'
	print'luke fingerprint'
	result1 = runJ48()
	result2 = runJ48Graft()
	result3 = runPART()
	result4 = runRidor()
	res1='%d'%result1
	res2='%d'%result2
	res3='%d'%result3
	res4='%d'%result4
	if ((result1 == result2) and (result2 == result3) and (result3 == result4)):
		print 'J48:\t\t'+res1
		print 'J48Graft:\t'+res2
		print 'PART:\t\t'+res3
		print 'RIDOR:\t\t'+res4
		print('result:\t\t'+res1)
	else:
		print 'J48:\t\t'+res1
		print 'J48Graft:\t'+res2
		print 'PART:\t\t'+res3
		print 'RIDOR:\t\t'+res4
		print('result:\t\tUNKNOWN')
	
# Options 1:  Run J48	
if(args.n == 1):
	if DEBUG:
		print 'Processing J48...'
	printResult(runJ48())
	
# Options 2:  Run J48
if(args.n == 2):
	if DEBUG:
		print 'Processing J48Graft...'
	printResult(runJ48Graft())	
	
# Option 3:  Run PART
if(args.n == 3):
	if DEBUG:
		print 'Processing PART...'
	printResult(runPART())

# Option 4:  Run Ridor
if(args.n == 4):
	if DEBUG:
		print 'Processing Ridor...'
	printResult(runRidor())


0x03 测试


用法示例




以下测试恶意程序




正常程序测试




5t4rk
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
启发扫描技术
04-20
启发扫描技术启发扫描技术启发扫描技术启发扫描技术启发扫描技术
MalwareClassifier:使用深度学习和布谷鸟沙箱进行恶意软件分类
04-04
恶意软件分类器 这是恶意软件分类研究的代码库。 所有深度学习模型都是使用Python 3.6+和PyTorch 1.9实现的。 点击查看研究详情 数据 源数据是由恶意软件动态分析系统生成的json报告。 对数据进行了分析,以提取有关恶意样本的最有用信息。 分析的结果是,选择了3698个特征,并将在此基础上进行进一步的分类。 因此,为恶意软件的每个实例分配了一个尺寸为3698的二进制特征向量,该特征向量的标签是卡巴斯基反病毒软件进行分类的结果。 该数据库包含来自8种不同类型的恶意软件的大约10,000个带标签的样本和大约14,000个未带标签的样本。 数据可视化 尺寸为3698的规格化矢量表示为大小为61×61(61≈√3698)的RGB图像,其中,每个像素的颜色由相应特征的值设置。 自动编码器 在未标记的数据上训练了一个潜在空间尺寸为200的自动编码器模型,以便使用预训练的编码器对恶意
syn-comp-adobe
05-20
该资源为Background-Matting的四个模型之一的syn-comp-adobe,欢迎大家下载学习使用哦!
对你快速了解恶意软件以及病毒和反病毒
m0_71999868的博客
09-20 1745
病毒与反病毒
【工具分享】一款启发内网扫描工具
最新发布
Python_0011的博客
03-25 603
一款实用的内网扫描工具,可进行网段探测、指纹识别、协议分析、漏洞扫描等,与fscan同类,可以作为代替工具使用。1、所有模块皆采用生产者消费者模型,即生即消。摆脱传统的等待端口扫描结束进行后续的模型。2、所有模块皆采用启发扫描,最少的发包探测目标。摆脱传统的端口绑定以及漏洞探测发包量大的问题。3、强大的WEB指纹支撑,目前指纹900+,指纹识别快人一步。4、极致的应用并发,在暴破模块以及漏洞探测、指纹识别、端口扫描所有模块采用数据原子化的方进行极致的并发。
基于深度学习恶意软件检测Python代码及数据
毕业作品网站
06-02 3669
深度神经网络可以有效地挖掘原始数据中的潜在特征,而无需大量数据预处理和先验经验。神经网络在计算机视觉、语音识别和自然语言处理方面取得了一系列的成功,当
利用python分析恶意代码pdf_利用Python开源工具分析恶意代码
weixin_39555320的博客
12-05 697
1 开源软件与Python环境11.1 关于开源软件2如果管理人员熟悉开源软件21.2 Python简介31.3 搭建Python环境与程序发布31.3.1 在Windows下搭建Python环境31.3.2 使用Eclipse与PyDev搭建Python开发环境71.3.3 使用pyinstaller发布程序121.4 从Github站点下载开源工具151.5 安装Python模块171.6 小...
开源安全软件、工具
Hi~ o(* ̄▽ ̄*)ブ
06-08 2587
该篇博文用于记录我使用过或者了解到的一些开源安全软件或工具,持续更新 0X00 流量分析类(包括入侵防御、检测) IDS&IPS:suricata,snort 数据包捕获、分析、索引系统:moloch,https://github.com/aol/moloch 爱奇艺开发的全流量监控引擎:https://github.com/iqiyi/qnsm 0X01 蜜罐 1.HTTP蜜罐 glastopf:https://github.com/mushorg/glastopf snar.
系统架构设计笔记(87)—— 计算机病毒与防治
读万卷书,行万里路
10-02 4446
计算机技术和网络技术的飞速发展,为人们的工作 、 学习 、 生活带来了极大的方便。计算机已经成为人们不可缺少的现代化工具。但是计算机病毒的出现带给人们不安和忧虑,同时向人们提出了挑战。 1 计算机病毒概述 计算机病毒( Computer Virus )的概念最早是由美国计算机病毒研究专家 F.Cohen 博士提出的。对于计算机病毒的定义,不同的国家 、 不同的专家从不同的角度给出的定义也不尽相同。根据 《 中华人民共和国计算机信息系统安全保护条例 》 第 28 条规定: “ 计算机病毒,是指编制或者在计算机
【网络安全防御 防御病毒与密码浅学】
Fanyunin的博客
03-30 530
恶意软件是指在未明确提示用户或未经用户许可的情况下,在用户计算机或其他终端上安装运行,侵犯用户合法权益的软件。恶意软件不仅会影响受感染的电脑或设备,还可能会影响与受感染设备通信的其他设备。恶意软件能够以多种途径感染计算机和设备,并且表现出多种形,有些形包括病毒、蠕虫、木马、间谍软件等。所有用户均了解如何识别和防范各种形恶意软件很重要。高级持续性威胁(Advanced Persistent Threat,APT),又叫高级长期威胁,是一种复杂的、持续的网络攻击,包含三个要素:高级、长期、威胁。
启发测试模型
FixedStar 的博客
02-19 906
The Heuristic Test Strategy Model is a set of patterns for designing and choosing tests to perform. The immediate purpose of this model is to remind testers of what to think about during that process. I encourage testers to customize it to fit their own or
5 个最好的免费开源病毒工具(PC版)
Dawn_Newbie的博客
06-28 3098
病毒开源
VirAtt Virus Scanner:该程序是一个扫描程序,可帮助检测和删除病毒。-开源
07-03
该程序是一款帮助检测和删除“MyDoom、Sasser 等”病毒的扫描程序,由 VirAtt Viruslab 开发的自定义引擎创建该程序快速检测、删除和销毁病毒本身的进程文件,包括修复由以下原因引起的注册表错误病毒
启发扫描和主动防御技术
11-19
启发扫描和主动防御技术是目前比较先进的反病毒技术,本文档就这两种技术进行了详细的介绍和分析
机器学习算法的恶意代码检测
03-04
论文 有关用机器学习算法进行恶意代码检测。分别针对静态、动态这 2 种分析 模下的检测方案进行了讨论,涵盖了恶意代码样本采集、特征提取与选择、机器学习算法分类模型的建立等要点。对机器学习算法下恶意代码检测的未来工作与挑战进行了梳理。为下一代恶意代码检测技术的设计 和优化提供了重要的参考
aio-cli:Adobe IO可扩展CLI
04-29
Aio-Cli Adobe I / O可扩展CLI健康生活aio-cli及其插件和模块的健康徽章模块版本资料下载建置状态覆盖范围问题拉取请求 @ adobe / aio-cli-plugin-config @ adobe / aio-cli-plugin-jwt-auth @ adobe / aio-cli-...
syn-comp-adobe-trainset
05-20
该资源为Background-Matting的四个模型之一的syn-comp-adobe-trainset,欢迎大家下载学习使用哦!
release-notes.en:Adobe Experience Cloud发行说明的协作技术文档
05-06
Adobe开源行为准则 该项目已采用或。 有关更多信息,请参见文章。 关于您对Adobe内容的贡献 请参阅《 。 您的贡献方取决于您是谁,以及您想贡献的变化类型: 小改动 如果您出于心血来贡献较小的更新,请访问该...
adobe-pdf-library
08-18
Adobe PDF Library 是 Adobe 公司开发的一款专业的 PDF 处理工具。它提供了一系列的 API 和 SDK,使开发者能够在自己的应用程序中实现对 PDF 文档的创建、编辑、渲染和转换等功能。 Adobe PDF Library 提供了丰富的功能和工具,开发者可以使用它来生成高质量的 PDF 文件,包括添加文本、图像、表格、链接、注释等内容。它还支持 PDF 文件的安全性设置,例如密码保护、数字签名等。此外,Adobe PDF Library 还具备优秀的渲染引擎,能够高效地处理和显示 PDF 文档。 通过使用 Adobe PDF Library,开发者可以轻松地将 PDF 功能集成到自己的应用程序中,实现对 PDF 文件的各种操作。无论是构建桌面应用程序、Web 应用程序还是移动应用程序,Adobe PDF Library 都能为开发者提供强大的 PDF 处理能力和灵活性。 需要注意的是,Adobe PDF Library 是一款付费产品,开发者需要购买相应的许可证才能使用。同时,Adobe 也提供了其他的 PDF 工具和解决方案,如 Adobe Acrobat 和 Adobe Reader 等,以满足不同用户的需求。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值