How to develop a scanner/disinfector?

**nick009** · April 17th, 2005, 05:24 AM

Hello gang,
I must say this is a very resourceful place that I'm glad to have found!
I'm a newbie to security/antivirus area(aside from being able to use one of course) and as a school project I need to create a program that will disinfect one specific virus using a simple pattern matching technique. I ran into the open source ClamAV and have been reading about how to create signature files and add it to its db and it doesn't seem too bad even for a newbie like myself.
But what I would like to be able to do is develop a standalone utility that will scan for a specific virus (just one strand for simplicity) and disinfect/remove it. There are tons of these type of utilities out there but I couldn't find any decent tutorial/documentation that could help me. I would appreciate any references or advises you may throw at me.

Thanks in advance!
Nick

**GrApHiCTrOn** · April 17th, 2005, 12:16 PM

well first of all welcome to AO
you say that you need to create a removal tool for an spesific virus, well what i recomend is that you find the virus that youre intrested in working with, and learn the infection methods that the virus use among other information like

*Registry keys that the virus changes/create/delete
*if the virus creates copies of it self and were are they hidden
*Start up method
*Payload
*if the payload damage or replace system files , witch are they

I did a similar project in HS i made a VBS file that changed the IE home page, displayed a message avery time the computer was turn on. made copies of it self in several folders with diferent names etc. And also made another VBS files that undo everything delete the registry entrys the copies of the file And i wrote a report that explained both files and what disected and explained the code aswell. Im a little bit buzz right now. if you need help and think that i can help you send me a message.

oh by the way do you have any coding experience?
and i almost forgot most of the newer AV detect many scripts as malicius

***sec_ware*** · April 17th, 2005, 12:39 PM

Hi

Maybe I am a bit old-school, but viri can be hidden in
any executable. Maybe they create a registry key,
so scanning for them is an idea (have a look at this
thread[1] for how to scan the registry using c/c++)
In addition to GrApHiCTrOn advices -

I assume, that you have some basic knowledge of some
programming language. I also guess, you want to scan
files for simple virus signatures (a fixed set of
bytes), without some polymorphic behaviour?

Then, why not scan the hardisk(s) for executables,
like (exe, com, scr, ...) using FindFirst/FindNext,
open them (e.g. ifstream) as binaries, jump to the
assumed position and compare byte for byte with
the "signature"? This sounds more horrible than it
is - it can be implemented quite efficiently.

Cheers.

[1] http://www.antionline.com/showthread...light=registry

***thehorse13*** · April 17th, 2005, 05:56 PM

The king of pattern matching is PERL. Write a small util that can remove an old virus that has a static payload. Once you're done, run it through PERL2EXE and presto, you have a portable scanner that will run on boxes w/o having to install PERL. Yes, this works wonderfully.

**nick009** · April 17th, 2005, 08:35 PM

Thanks for the insights guys, you have really shun some light in the tunnel

GrApHiCTrOn, I don't think VBS would cut it because I expect this utility to be run on an environment that may have an AV software running.

As far as my programming experience goes, i have a decent knowledge of java, and still remember c++ from few years ago. But I'm pretty sure I can pick up any language that proves to be efficient.

Originally posted here by sec_ware

I also guess, you want to scan
files for simple virus signatures (a fixed set of
bytes), without some polymorphic behaviour?

This is exactly what I had in mind since pattern matching doesn't work on a polymorphic virus.

Originally posted here by sec_ware

Maybe I am a bit old-school, but viri can be hidden in
any executable. Maybe they create a registry key,
so scanning for them is an idea (have a look at this
thread[1] for how to scan the registry using c/c++)

This is exactly how I imagined it as well, I know I would need to search the actual files and clean them and also need to correct any modifications done to the registry. I'm guessing scanning the registry would have to be done by means other than VBS since that would upset most AV programs although it is extremely simple that way.

Originally posted here by thehorse13
The king of pattern matching is PERL. Write a small util that can remove an old virus that has a static payload.

From what I gathered after reading this, I think I will end up going with the Perl route. One thing I am not clear on is, would I not need a parser for each file format (ie. exe, com, bat...) that will be scanned so that the utility knows what its looking at? any ideas here would help because I'm feeling clueless.

Thanks again everybody for your inputs!

**MrBabis** · April 17th, 2005, 10:24 PM

Most of av´s like kaspersky and norton and some other can detec most of windows programs that requid access to internet. (i think that it is standard code string or few from different compilers)

Script´s may ofter use copy/move/delete functions (most important i think that script not dirrected on "windows install folders" and not doing operations on "dll,exe, and other executables", not writing to socket and "IE registry","outlook registry", not creating other scripts)

to protect windows "standard" files you can use pattern of known good files (name,size or check sum) i think that it is faster way to detect dmg/infec/replaced windows files , something like "sfc /scannow" and CD.

----
i was also thinking about to create somthing like this but i have not time.....
----

good luck

***Tiger Shark*** · April 17th, 2005, 10:49 PM

to protect windows "standard" files you can use pattern of known good files (name,size or check sum) i think that it is faster way to detect dmg/infec/replaced windows files , something like "sfc /scannow" and CD.

Ahh... So you are saying that every time windows updates you'll get a "virus" alert? OK... that seems reasonable...

You don't seem to know how things work.... Until you do it might be a _really_ good idea to keep your knowledge and experience a secret... 'kay?

"Name" will produce a failure when you try to access a known named file....

"Size" is irrelevant.... trust me on that....

"Checksum" is so easily subverted it's not true....

Try Googling SHA1 or SHA2 or a simple MD5 hash.... then you are going down the right road....

**MrBabis** · April 18th, 2005, 10:21 AM

for fast scan can work

some av does)
no, but it is good to notife changes in the system files b4 using of virus patterns if changes has been detected can pattern for virus be used it makes AV faster, not nessesery to restore files if "version" missmatch, with AV.

for full scan can be used just patterns of viruses
---------------------------------------

does it good/effectiv to detect files with same names or same "body" in the different startup locations in the registry?

does it good/effectiv to detect files with same names or same "body" that are alredy runing from different locations?

***thehorse13*** · April 18th, 2005, 11:01 AM

LOL, MrBabis, have you been in the sauce? I thought that teachers can't drink on the job.

**nick009** · April 18th, 2005, 04:41 PM

Is it possible to do binary comparison using Perl (as opposed to string comparison)? I was thinking of opening each type of file (exe, com, bat...) and comparing the assembly code to the binary signature.

Thread: How to develop a scanner/disinfector?

Thread Tools

Display

How to develop a scanner/disinfector?

Posting Permissions