扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共4页)
Windows
该工具同时可与Windows系统兼容。在下面的例子中,我们用正式的列表来将搜索局限于PHP及文本类型的文件中。
- python neopi.py -a c:\temp\phpbb "php|txt"
NeoPI的弱点所在
对于所有的恶意软件检测工具来说,都存在着一定的方法来避免被其检测到。NeoPI的检测重心在于识别混淆代码,而事实上它常常在识别模糊代码方面表现得更好。未经模糊处理的代码对于NeoPI的检测机制来说是透明的,并能够完美地整合于系统中的其它代码上(但这很容易被基于签名认证或表达搜索的检测工具发现)。如果以这样的处理方式来对恶意代码进行加工,这种看起来很正常的文本将极可能无法被NeoPI识别出。因为首先,这类代码可能会被编码/解码成有效的英文单词或脚本语言文字,这种编码类型的字符串将很可能避过巧合指数测试的法眼,因为其字母出现频率与真正的代码保持一致。它同样在熵值上与合法文件具有统一性;而最后,只要其在存储方式上也足够小心,将完全能够逃脱最长字符串测试这一关。
下面这个例子就能够以简单的编码机制成功逃避NeoPI的代码检测。而它正是基于文章开头我们所提到的结构松散的PHP类shell。
- $string = "iguana frog EATS iguana seal seal elk tiger EATS SPRINTS PEES GOAT ELK TIGER PUKES JUMPS cat mole dog JUMPS KILLS SLEEPS SLEEPS GIGGLES SPACE elk cat hog olm SPACE TICK GIGGLES SPRINTS PEES GOAT ELK TIGER PUKES JUMPS cat mole dog JUMPS KILLS POOPS TICK MURDERS SPACE POOPS";
- $dict = array(
- "a" => ""ardvark","b" => "bat","c" => "cat","d" => "dog","e" => "elk","f" => "frog","g" => "goat","h" => "hog","i" => "iguana","j" => "jackal","k" => "kiwi","l" => "lion","m" => "mole","n" => "newt","o" => "olm","p" => "pig","q" => "quail","r" => "rat","s" => "seal","t" => "tiger","u" => "vulture","v" => "wasp","x" => "xena","y" => "yak","z" => "zebra"," " => "space","(" => "eats",")" => "sleeps","." => "sneezes","[" => "pukes","]" => "kills","'" => "jumps","\"" => "rolls",";" => "murders","=" => "dances","\$" => "sprints","{" => "giggles","}" => "poops","_" => "pees","<" => "falls",">" => "vomits","?" => "coughs","`" => "tick");
- function decode($string, $array) {
- $output = "";
- $words = explode(" ", $string);
- foreach ($words as $word) {
