臺灣博碩士論文加值系統

在本篇論文中，我們研究分析病毒的行為模式，包括病毒感染的途徑、執行順序的關係、惡意或異常地呼叫系統函式等等；並且設計狀態轉換表 (state transition diagram) 加以歸納模式化。爾後我們設計並實作病毒偵測系統，在任何可執行程式執行前，提前分析程式的行為模式，同時判斷是否為病毒或已被病毒感染，藉以預防與控制病毒的發作。
對於病毒的行為模式的分析，我們將病毒對於作業系統的侵入方法作一分類比較並分析其執行的合理性，再依其行為轉換模式以確認其是否具病毒的行為特徵，而為了能達成病毒發作前預防與控制的目的，我們發展了以中斷攔截行程執行的軟體系統技術及虛擬程式載入的方法，在被偵測的程式執行前，追蹤偵測病毒執行時期所對應的行為模式，因此，即使對於以壓縮形式蟄伏於電腦中的病毒，也可能在其發作前偵測發現並制止。
在我們的實驗中，可確認並看到大多數的電腦病毒，如知名的 CIH與FunLove 病毒，都可由我門時作的防毒系統所偵測出來。 而且由於我們的防毒系統不需病毒碼資料庫，所以對於未知病毒的偵測能力，優於其他的防毒系統。

In this thesis, we first analyze the execution behavior of computer viruses， then we design a State Transition Diagram to model the behavior of virus, including the intercepting actions, the relationship of running sequences, the malicious or abnormal calls of system operations, etc. Then we develop and implement a virus detection system by embedding a virtual loader in a Windows environment to track a program’s code before it is physically loaded and executed by Windows. The program being tracked would be estimated as a virus if its execution behavior within the state transition diagram is judged as one.
The pre-loading and behavior-tracking strategies of our virus detection system further makes possible the detection of viruses even when they resided in some compressed or encoded programs.
The experimental result demonstrates the effectiveness of the proposed virus system. Since our judgment for the possibilities of viruses focuses upon the behavior of viruses instead of the matching of virus patterns that is the major principle of many commercial virus detection systems, our system might detect viruses which are so brand new that no patterns has been published yet or whose patterns have not been instantly updated. New that might not be detected by whose judgment for viruses are based upon the matching of virus patterns.
In the experimental result, our anti-virus can detect the famous viruses, such as CIH, FunLove, etc. as well as the Norton did. But we do not need any virus pattern database, so we can do better than other anti-virus system on detecting the un-known viruses.

誌 謝 iii
目 錄 i
表 目 錄 ii
圖 目 錄 iii
圖 目 錄 iii
第一章 前言 1
第二章 病毒的成因與類型 2
2.1 背景 2
2.2 Windows 系統架構與病毒原理 5
2.2.1Windows 系統架構 5
2.2.2 Windows 9X系統架構 7
2.2.3 Windows 病毒原理 7
2.2.4系統核心模式病毒 8
2.2.5病毒攔截技巧探討 11
2.2.6其它類型的病毒 14
2.2.7病毒隱藏技巧探討 16
第三章 病毒行為模式的分析 18
3.1病毒碼的擷取 18
3.1.1 郵件型 Script 巨集病毒 19
3.2 系統的分析與比對規則 20
3.3狀態轉換表的臨界路徑（Critical Paths of State Transition Diagram） 23
3.4行為模式對應之API列表 23
第四章 以虛擬程式載入器為基礎的防毒系統實作 26
4.1 Win32可執行檔案格式 26
4.2虛擬程式載入器實作說明 29
第五章 病毒檢測 36
第六章 結論 38
參考文獻 39

英文部份
[1] Dabak, Prasad, Borate, Milind and Phadke, Sandeep, Undocumented Windows NT, M & T Books, 1999.
[2] Edwards, J, Next-generation viruses present new challenges, IEEE Computer, Vol. 34, Issue 5, May 2001, pp16-18.
[3] Garber, L., Melissa virus creates a new type of threat, IEEE Computer, Vol. 32, Issue 6, Jun 1999, pp16-19.
[4] Harmer, Paul K., Williams, Paul D., Gunsch, Gregg H. and Lamont, Gary B., An artificial immune system architecture for computer security applications, IEEE Transactions on Evolutionary Computer, Vol. 6, No. 3, June 2002, pp. 252-280.
[5] Lawton, George, Virus war: Fewer attacks, new threats, IEEE Computer, Vol. 35, Issue 12, Dec. 2002, pp22-24.
[6] Matt Pietrek, Windows 95 System Programming Secrets, 1995, Hungry Minds, Inc.
[7] Okamoto, Takeshi, A distributed approach to computer virus detection and neutralization by autonomous and heterogeneous agents, Technical Report, Nara Institute of Science and Technology, March 20-23, 1999, Tokyo, Japan, p328.
[8] Perriot Frédéric, Ferrie Peter and Ször Péter, VIRUS ANALYSIS, VIRUS BULLETIN MAY 2002.
[9] Schreiner, Keri, New virus up the stakes on old strikes, IEEE Internet Computing, Jul/Aug 2002, pp9-10.
[10] Steve Gorman, Overview of the Protected Mode Operation of the Intel Architecture, Intel Corporation, Available at http://www.intel.com/design/intarch/PAPERS/exc_ia.pdf.
[11] Stephen T. Kelly, Overview of Code Red, SANS Institute 2001.
[12] Symantec AntiVirus Research Center, Understanding Virus Behavior under Windows NT.
[13] Symantec AntiVirus Research Center, Understanding Virus Behavior in 32-bit Operating Environments
[14] Subramanya, S.R. and Lakshminarasimhan, Natraj, Computer virus, IEEE Potentials, Vol. 20, Issue 4, Oct./Nov. 2001, pp.16-19.
[15] Ször, Péter, Attacks on Win32—Part II, Symantec white paper series, Virus Bulletin Conference , Sep 2000, pp.47-68.
[16] Ször Péter and Ferrie Peter, HUNTING FOR METAMORPHIC, VIRUS BULLETIN CONFERENCE, 2001 Virus Bulletin Ltd.
[17] Viscarola, Peter G. and Mason, W. A., Windows NT Device Driver Development.
[18] http://www.compuware.com/products/driverstudio/softice.htm
[19] http://home.t-online.de/home/Ollydbg/

中文部份
[20]陳奕明、李勁頤，利用分散式入侵偵測與回應系統防治網蟲之入侵。
[21]林大為、陳奕明，一個以異常寄件行為來偵測郵件病毒的方法。
[22]釧