Simple Virus Remover

 

I am trying to create a simple virus remover. The algorithm I developed is meant to:

  • inspect the original file and the infected file
  • separate the virus from the infected file
  • use same algorithm for repairing other files infected with the virus

    • I know this is possible, since this is the same way patches are created, but I am a little bit lost on how to go about with this.

    Any help around??

    You'll have to put more intelligence than simply do some pattern matching and remove the isolated virus code.

    The viruses you are aiming at are files infectors which are rarely used in our days. Most of the time their replication process is as follow:

  • They copy themselves at the beginning or at the end of the PE files
  • Locate the entry point of the PE files
  • Put a jump instruction to this location pointing at theirs code

    • Disinfecting a file is the most difficult part for any anti-virus. It relies on the quality of the virus code: if it's buggy, the host file will just be unrecoverable.

    In any case, you are entering a world of machine instructions where disassemblers (IDA, PE Explorer ...), and debuggers will be your dearest friends.

    Do a difference of the two files, the basic idea would be to compare the original and infected files character by character until and saving discrepancies to some data structure. Then in the future you could look for the "virus" which would hypothetically be a collection of the differences, in other files and remove the "virus".

    The only problem with this is that there will probably be discrepancies between the two files which have nothing to do with the "virus", eg the infected file was modified in some way different from the original, which has nothing to do with the virus.

    EDIT*** Checking other files for the virus would not be too hard, but I am running under the assumption that you are dealing with some plain text form of file, for binary propitiatory files, I do not think you would be able to remove the "virus".

    链接地址: http://www.djcxy.com/p/4778.html

    上一篇: Jquery撤消对DOM的最后更改

    下一篇: 简单的病毒卸妆