Home > Article > Backend Development > PHP determines whether the exe file is normal_PHP tutorial
PHP determines whether the exe file is normal_PHP tutorial
- WBOYOriginal
- 2016-07-13 17:09:291013browse
php determines whether the exe file is normal
include "ExeInfo.php";
$pe = new PE_VIEWER( 'cmd.exe' );
$pe->out();
?>
, usually viruses will be packed. The section name of the packed program is no longer the common .text, .data, .rdata, .rsrc, etc., but contains UPX Section name with characters such as , Aspack etc.;
2. Usually the entry point of a program is less than 10,000, and most of them are a little more than 1,000. If the value of the program entry point is too large, it is questionable;
3. Analyze the import table. Usually the virus's KERNEL32.DLL import table only has a few functions such as LoadLibrary and GetProcAddress.
Of course, the above judgment is not accurate, and some hacker programs and programs that need to be kept confidential will also be packed.
This script can obtain the basic information of the exe file and output it in xml format. It currently does not include import table information. You can check the output information to determine whether the exe file is normal.