先进的反病毒引擎设计_Marked.doc

摘 要 反计算机病毒做为计算机安全问题的一个重要组成部分已日益受到人们的重视。本文将对当今先进的病毒/反病毒技术做全面而细致的介绍，重点当然放在了反病毒上，特别是虚拟机和实时监控技术。 在论文中我将首先介绍几种当今较为流行的病毒技术，包括获取系统核心态特权级，驻留，截获系统操作，变形和加密等。然后我将分五节详细讨论虚拟机技术：第一节简单介绍一下虚拟机的概论；第二节介绍加密变形病毒，我会分析两个著名变形病毒的解密子；第三节是虚拟机实现技术详解，其中会对两种不同方案进行比较，同时将剖析一个查毒用虚拟机的总体控制结构；第四节主要是对特定指令处理函数的分析；最后在第五节中我列出了一些反虚拟执行技术做为今后改进的参照。论文的第三章主要介绍实时监控技术，由于win9x和winnt/2000系统机制和驱动模型不同，所以我将会分成两个操作系统进行讨论。其中涉及的技术很广泛：包括驱动编程技术，文件钩挂，特权级间通信等等。 总之，本论文介绍的技术涉及操作系统底层机制，难度较大；本论文提供的代码，包括一个虚拟机C语言源代码和两个病毒实时监控驱动程序反汇编代码，具有一定的研究和实用价值。 关键字：病毒，虚拟机，实时监控 Abstract As an important part of computer security issues, people has increasingly thought highly of anti-virus. In this thesis, I will introduce today’s advanced virus and anti-virus techniques roundly and detailedly. Of course, the main point is anti-virus, especially the emulation and real-time monitor technique. In this thesis, firstly I will introduce several popular virus techniques,including getting system kernel mode privilege(ring0),residence, hijacking system operations, polymorphy and encryption. Then I will divide the discussions of the emulator into 5 section: in the first section ,I will simply introduce the overview of emulator;and the second section is on polymorphic and encrypted virus,I will analyze two famous polymorphic virus’s decryptors; the third section is emulator techniques implementing specification, I will compare tow schemes,and meanwhile dissect the emulator’s general control structure; the fourth section is the analysis about special instructions handler; finally in fifth section ,I will enumerate some anti-emulator techniques serving as the references for later modifications. The third chapter of this thesis mainly discuss the real-time monitor technique, for the difference in system mechanism and driver model between win9x and winnt/2000 ,I will divide the discussions into two OS. The techniques related are abroad :including driver programming ,file system hook, and communications across privileges etc. In a word, the techniques in