Today, I would like to introduce to you, what are the core technologies or core components necessary to develop a security software like 360 and QQ Computer Manager?
Anti-virus engine
First of all, the first indispensable is the anti-virus engine. The earliest core of security software is this thing, and its purpose is to detect whether a file is malicious software.
The anti-virus engine mainly determines whether the target is malicious by performing static analysis on the file, identifying the characteristics of the malicious file, and matching it with its own virus signature database.
The main technologies used here include file format recognition, shelling and unpacking technology, encryption and decryption technology, executable file disassembly, instruction-level feature matching, virtual execution, sample family gang gene discrimination, machine learning, and so on.
HOOK driver
The main task of security software is to protect our computers from malicious software such as viruses and Trojan horses. In addition to identifying known threats through static analysis, they must also guard the computer's security line of defense to prevent malicious software from being compromised.
How to defend?
Security software needs to perceive everything that happens on the computer, which includes the creation of every process thread, the creation and reading and writing of every file, every network connection establishment, and even every system service call.
The security software uses HOOK technology to do all this.
The security software uses the kernel driver to hijack the key entrance of the application to the operating system kernel, thereby monitoring the behavior of all processes.
Almost every security software has such a driver, which has a set of HOOK framework inside it, which provides a programming interface for other drivers to call, such as the famous hookport.sys in 360.
Active defense drive
A HOOK framework alone is not enough, but an active defense driver is required to complete specific security defenses.
There is generally an active defense process at the application layer, which is responsible for receiving control commands from the security software cloud server, issuing the latest defense rules, the latest feature library, such as which programs to block, which operations to block, and so on.
After the active defense process pulls this information, it sends it to the active defense driver in the kernel space, which will specifically execute the corresponding interception behavior.
File filter driver
Monitoring through the HOOK driver sometimes does not completely solve the problem. There are some low-level software that can bypass the system API call, so that the HOOK driver cannot monitor it.
Therefore, security software is generally accompanied by a file filter driver, which implements a lower-level file monitoring function through the interface provided by the file system.
The technologies commonly used in this type of drive include minifilter, sfilter, and so on.
Network monitoring driver
Similar to the file filter driver, a lower-level driver is also needed for the network to monitor all network connections in the computer. Through the interface at the bottom of the operating system network architecture, it monitors all the data packets entering and exiting the computer to complete the network communication. Know well.
The technologies used by this type of drive include TDI, NDIS, WFP, etc.
Sandbox driven
In addition to guarding our computers, the other main job of security software is to analyze malicious programs.
The anti-virus engine mentioned above is mainly static analysis , but static analysis has certain limitations. In many cases, the malicious program needs to be run before it is exposed. Therefore, dynamic analysis technology ultimately.
Although network security technology has been developed for many years, the main technology used in dynamic analysis is " sandbox analysis ".
The so-called sandbox analysis is to provide a simulated environment, throw the target in, let it run, and wait until its original shape is revealed, it can be seen at a glance whether it is malicious.
Therefore, many security software will also provide a sandbox driver to simulate a "safe" execution environment through kernel isolation, allowing the target to run in it.
Offensive and defensive drive
With such a large security software target, it will naturally attract a lot of malware attacks. In addition to malicious software, some security software will attack each other in order to snatch users.
Therefore, security software must strengthen its own defenses.
The active defense mentioned earlier belongs to regular army operations, and it also includes the ability to protect itself, but in the face of attacking opponents that are also at the core level, this trick basically has little effect.
Therefore, security software generally has an offensive and defensive drive. It uses various means to fight against the opponent and protect itself. The technologies used here are varied.
Summarize
To sum up, to develop a security software, there are three main things to do:
After reading this article, do you have any gains? Writing is not easy, please forward and share with your fingers.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。