 
      




        .



   :
 1
1  ,   
2       
3     
4     dyncheck  
5      ,   2, 
6    (  )
7  3

 2
     ,  #ifdef'      ,
           .

    6 -     ,      )

  ,    ,    ,   #ifdef FUNCTION1_NEVER .. #endif
   ,    .



          C++.
   -.
  -    (getopt)    stdout/stderr.

        :
*   Visual Studio   2010,   :
-    (Release/x64)
-          ,     
*       (   5)
-   -    bool avcheck(const char* path),        -
   ,      -
*       ,  
- template<>
-    ,  CRT/STL/WinAPI
-    ,     .
       ,   .
*   stdout  : 
 1
 1,  1801 ,   0
 2,  900 ,   18
..
 100,  50 ,   0

 2
 foo(),   100..200,   0
 foo(),   190..200,   0
 foo(),   195..200,   18

   :
foo(): 195..200
bar(): 400..402
dumb(): 151..152

      -         .


,  2, 

       ,      ( /MAP ):
-       /map
-   ,   
-     
       1 (  2    )
        1     .


..       ,      (  CRT,   ),
      :
-     ( )
-      (.obj) ( )
-    
       (. )

  
https://github.com/vxlabinfo/SignFinder
  
https://vxlab.info/%d1%87%d0%b8%d1%81%d1%82%d0%ba%d0%b0-pe32-%d1%87%d0%b0%d1%81%d1%82%d1%8c-1/
https://vxlab.info/%d1%87%d0%b8%d1%81%d1%82%d0%ba%d0%b0-pe32-%d1%87%d0%b0%d1%81%d1%82%d1%8c-2/
  ,   ,  
https://ru-sfera.org/threads/chistka-ot-signaturnogo-detekta-antivirusov.2870/

      ,   .


 

   -    (   ).
   -   ,       -   .
  -       .

:
1.    :   ""     /    
2.        
3.       (    )    ""

          -.
   ,               .
,    .

     :
-     (" ")
-   .
   :
-      
-     

4.     :  (50%)   
5.      
6.   -    av_check()
7.  ?
- :       "",   ( 8)
- :
     1 ?
  - :   ,    ,  6
  - :   (50%)    ,  6
8.       ,  5
9.      ,  4

     unit-,  av_check()       .


USAGE

-i <input exe file>                     .  .
-m <input map file>                      .map.  .
-d <workdir>                            ,    .   .
-s <section>                              (.text, .data ...).   -s  ,  -s .text -t .data.
                                          .
-z <Minimum size threshold>                   ;   .   0 ( ).
-a defender|dyncheck                      .  ,  .
-f <functionmask>                          ,  .   -f  ,  -f symb1* -f symb2*
-M <modulename>                             .   -f  ,  -m module1* -m module2*

 -s, -z, -f, -M     ( ), ..   .


  -

      Windows Defender (Windows 10)  dyncheck.com  API.
   Powershell

*  Defender
$Defender = @{
  #MALWAREPROTECTION_*
  SCAN_STARTED               = 1000
  SCAN_COMPLETED             = 1001
  MALWARE_DETECTED           = 1006
  BEHAVIOR_DETECTED          = 1015
  STATE_MALWARE_DETECTED     = 1116
  STATE_MALWARE_ACTION_TAKEN = 1117
  StartTime                  = $null
  IsRunning                  = $false
  ScanProc                   = $null
  ScanId                     = $null
  LastScanId                 = $null
}

*  Windows Defender
    $Defender.ScanProc = Start-Process `
      -FilePath "$($env:programfiles)\Windows Defender\mpcmdrun.exe" `
      -ArgumentList '-Scan', '-ScanType 3', "-File $f" `
      -PassThru -NoNewWindow #-Wait
    $Defender.StartTime = (Get-Date).AddSeconds(-5)
    $Defender.IsRunning = $true
*   ,    :
    $ScanStarted = Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
      Where-Object {
      $_.TimeCreated -ge $Defender.StartTime -and
      $_.Id -eq $Defender.SCAN_STARTED
    }
    if ($ScanStarted)
    {
      $Defender.ScanId = $ScanStarted.Properties[$ScanId].Value
      $Defender.LastScanId = $Defender.ScanId
    }
*   :
  $ScanCompleted = Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
    Where-Object {
    $_.TimeCreated -ge $Defender.StartTime -and
    $_.Id -eq $Defender.SCAN_COMPLETED -and
    $_.Properties[$ScanId].Value -eq $Defender.ScanId
  }
*    :
  $MalwareDetected = Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
    Where-Object {
    $_.TimeCreated -ge $Defender.StartTime -and
    $_.Id -in `
      $Defender.MALWARE_DETECTED, `
      $Defender.BEHAVIOR_DETECTED, `
      $Defender.STATE_MALWARE_DETECTED `

  ,   :
- Eset NOD32
- Kaspersky
- Norton Antivirus

 :
- Avast
