Research On File Infection Method Based On File Parsing

Since the vulnerability of the computer network and openness of the Internet, the computer virus has become the biggest risk to the computer network security. As infecting system files is the main way to invade system, the study of the new file infection technology is more and more important. On one hand researching the new file infection, we could understand the working principle of the virus, bring the birth of new anti-virus technology, On the other hand may also improve the capabilities of monitoring software, strengthen the host defense. Therefore, it has high practical value.According to the environment of file infection technology, the NTFS (New Technology File System) and FAT32 (File Allocation Table) File system is analyzed, some kinds of common PE (Portable Executable) file infection methods is given; and the insufficiency of these methods and the existing file protection technology is explained. On this basis we proposed a file parsing process which can strengthen the valid of file infection.Based on file parsing process, the overall construction and the functional module division of a file infection system is given. The system is divided into four functional modules: the initialization, the NTFS parsing, the FAT32 parsing and the file infection. The initialization module is mainly used to establish the system enviroment and get basic information of the object file. The NTFS parsing module is mainly used to gain the object file data and rewrite the file data in the NTFS partition; The FAT32 parsing module is mainly used to gain the object file data and rewrite file in the FAT32 partition; The file infection module is mainly used to rewrite PE file in the memory and get the control of procedure.In order to confirm the validity of file infection system, A experiment environment is established, and 3 kinds of main file protection software is chosen: The micropoint active defense, kaspersky and 360 security bodyguards. The experiment has carried on the comparison about the file infection system given and the file infection method used commonly.The result indicate that the file infection method based on file parsing not only infect the system file successfully, but also maintains the stability of operating systems.